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ABSTRACT 


The  investigatory  findings  of  the  Space  Shuttle  Challenger  and  Columbia 
accident  investigation  boards  are  analyzed  and  evaluated  relative  to  one  another,  with  the 
goal  of  determining  if  there  are  lessons  applicable  to  organizations  that  manage 
technically  complex  programs.  An  analysis  is  conducted  of  the  recommendations  from 
the  Challenger  investigation  and  NASA’s  actions  taken  to  correct  problems  in  the 
organization.  The  effectiveness  of  both  the  recommendations  and  NASA’s  response  in 
tenns  of  preventing  the  Columbia  accident  are  examined.  In  the  intervening  years 
between  the  Challenger  and  Columbia,  several  unofficial  analyses  of  the  Challenger 
accident  and  investigation  have  been  published.  The  findings  of  these  independent  works 
are  presented  in  order  to  detennine  any  relationship  to  the  Columbia  accident  and  the 
subsequent  Columbia  investigation.  The  investigation  of  the  Columbia  accident  and 
Challenger  accident  are  compared  to  detennine  if  any  of  the  investigatory  findings 
indicate  that  there  were  common  factors  in  the  accidents.  An  evaluation  of  the  NASA 
organizational  structure  and  culture  is  conducted.  The  impact  of  the  culture  on 
implementing  the  changes  recommended  after  Challenger  and  relationship  to  the 
Columbia  accident  and  investigation  is  examined.  These  analyses  and  examinations 
result  in  several  conclusions  and  recommendations  applicable  to  organizations  that 
manage  technically  complex  programs. 
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I.  INTRODUCTION 


A.  PURPOSE 

The  purpose  of  this  research  paper  is  to  investigate,  analyze,  and  evaluate  the 
investigatory  findings  of  the  Space  Shuttle  Columbia  and  Challenger  accidents.  The 
focus  of  the  research  is  an  analysis  of  the  recommendations  from  the  Challenger 
investigation,  and  the  National  Aeronautics  and  Space  Administration’s  (NASA’s) 
actions  taken  in  response  to  the  recommendations  to  determine  the  effectiveness  of  both 
the  recommendations  and  NASA’s  response  in  terms  of  preventing  the  Columbia 
disaster.  This  study  compares  the  Challenger  and  Columbia  investigatory  findings  to 
determine  if  any  recommendations  indicate  there  were  common  factors  in  the  accidents. 

This  paper  does  not  seek  to  find  common  technical  basis  for  the  accidents,  but 
rather  common  organizational  and  cultural  factors  in  the  accidents.  Further, 
recommendations  that  are  unique  to  the  Columbia  investigation  are  analyzed  with  respect 
to  their  relevance  to  the  Challenger  accident  and  whether  identification  at  the  time  of  the 
Challenger  accident  may  have  had  a  positive  impact  on  preventing  the  Columbia 
accident.  Finally,  this  piece  provides  generalized  observations  and  recommendations, 
distilled  from  NASA’s  experiences,  to  other  activities  that  similarly  pursue  large-scale, 
technically  complex,  risky-laden,  taxpayer-funded  projects  within  the  confines  and 
culture  of  an  outsized,  widely  dispersed,  strictly  hierarchical  bureaucracy. 


B.  BACKGROUND 

Within  the  course  of  one  generation,  the  National  Aeronautics  and  Space 
Administration  (NASA)  has  witnessed  two  disastrous  accidents  that  have  claimed  the 
lives  of  fourteen  of  this  nation’s  best  and  brightest  individuals  and  have  shaken  the 
confidence  of  the  nation  in  continued  manned  exploration  of  space.  On  28  January  1986, 
the  Space  Shuttle  Challenger  (mission  51-L)  exploded  seventy-three  seconds  after 
takeoff  due  to  a  failure  of  an  O-ring  seal  on  one  of  the  two  Solid  Rocket  Boosters  (SRBs). 
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Detailed  investigation  ensued  encompassing  a  Presidential  Commission1,  Congressional 
investigations  and  hearings23,  internal  NASA  investigations,  and  numerous  reports  from 
governmental  scientific  organizations  such  at  the  National  Research  Council4.  The 
magnitude  of  these  investigations  combined  with  the  re-ordering  of  NASA’s  processes 
and  procedures,  and  safety  program  revitalization  in  response  to  the  recommendation  of 
these  investigations,  lead  to  the  expectation  of  elimination  or  reduced  possibility  of  future 
shuttle  accidents.  However,  on  1  February  2003,  Space  Shuttle  Columbia  mission  Space 
Transport  System  (STS)- 107  broke  apart  on  reentry  due  to  an  incident  that  occurred  81.7 
seconds  after  launch,  seventeen  days  earlier.  Once  again,  Commissions  were  appointed, 
hearings  held,  findings  issued,  and  plans  for  correction  were  issued.5 

C.  RESEARCH  QUESTIONS 

It  is  not  the  intent  of  this  research  to  analyze  the  technical,  scientific,  or 
engineering  findings  of  the  investigations,  for  it  is  obvious  that  the  specific  failure  that 
ultimately  brought  down  each  shuttle  was  quite  different  in  nature  and  root  cause.  Rather 
the  purpose  in  analyzing  the  investigatory  findings  is  to  answer  the  following  questions. 

1.  What  similarities  and  differences  exist  when  comparing  the  recommendations 
made  by  both  commissions?  Are  there  any  recommendations  from  the 
Challenger  investigation  that  if  properly  implemented,  could  have  affected  the 
issues  leading  to  the  Columbia  accident?  Are  there  any  recommendations  from 
the  CAIB  that  could  have  been  identified  by  the  Challenger  investigation?  For 


1  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident  -  William  P.  Rogers  Chairman, 
Report  of  the  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  Washington,  D.C.  6  June 
1986. 

2  House  of  Representatives,  Committee  on  Science  and  Technology,  Ninety-Ninth  Congress, 
Investigation  of  the  Challenger  Accident  (Volume  1  and  2),  Hearings  before  the  Committee  on  Science  and 
Technology’,  Government  Printing  Office,  Washington,  D.C.,  1986. 

3  United  States  Senate,  Committee  on  Commerce,  Science  and  Transportation,  Ninety-Ninth  Congress, 
Space  Shuttle  Accident,  Hearings  before  the  Subcommittee  on  Science,  Technology’  and  Space,  Government 
Printing  Office,  Washington,  D.C.,  1986. 

4  National  Research  Council,  Post-Challenger  Evaluation  of  Space  Shuttle  Risk  Assessment  and 
Management,  National  Academy  Press,  Washington  D.C.  January  1988. 

5  Columbia  Accident  Investigation  Board  (CAIB),  Columbia  Accident  Investigation  Board  Report,  p. 

9,  Government  Printing  Office,  Washington  D.C.,  2003. 
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any  recommendations  that  were  made  by  both  commissions,  is  it  expected  that  the 
post  Columbia  NASA  can  implement  the  recommendation  more  effectively? 

2.  Are  there  factors,  that  neither  investigation  identified,  that  should  be  considered  in 
helping  to  prevent  future  catastrophic  occurrences  in  complex  engineering 
development  projects? 

3.  What  problems  existed  in  the  NASA  culture  during  the  times  of  both  accidents? 
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II.  THE  ACCIDENTS 


A.  CHALLENGER’S  FINAL  MISSION 

Mission  51-L  of  the  Challenger,  the  25th  flight  of  the  Space  Shuttle  Program  was 
initially  planned  for  July  1985  and  originally  delayed  until  November  1985,  once  the 
crew  was  assigned.  Further  modifications  to  payload  changes  and  other  flight  changes 
resulted  in  a  subsequent  rescheduling  for  late  January  1986.  The  mission  of  51-L 
included  two  satellites  for  deployment,  execution  of  a  number  of  experiments  in  the  crew 
compartment,  and  the  introduction  of  the  Teacher  in  Space  program.  Starting  on  23 
December  1985  three  further  postponements  of  the  flight  occurred.  On  that  date,  the 
launch  was  slipped  from  22  January  1986  to  23  January  1986  due  to  a  slip  in  mission  61- 
C  that  preceded  51-L.  On  22  January  1986  (the  day  before  the  then  launch  date)  the 
launch  was  slipped  to  26  January  1986,  again  due  to  work  requirements  related  to  the  late 
launch  of  61-C.  The  third  postponement  occurred  on  the  evening  before  the  launch  due 
to  an  unacceptable  weather  forecast  for  the  26th.  A  launch  was  attempted  on  the  27th  but 
was  halted  due  to  a  problem  with  an  external  hatch  handle  could  not  be  resolved.  The 
launch  was  rescheduled  for  the  28  January  1986. 

The  temperature  overnight  was  forecast  to  drop  into  the  twenties  degrees 
Fahrenheit  (F).  As  this  was  quite  unusually  cold  for  Florida,  engineers  were  directed  to 
assess  negative  effects  of  the  weather  on  the  mission.  It  was  decided  to  continue  with  the 
countdown.  Early  in  the  morning,  an  inspection  team  was  dispatched  to  examine  ice  that 
had  fonned  in  the  launch  pad  area.  A  second  inspection  later  in  the  morning  resulted  in  a 
decision  to  allow  more  time  for  the  ice  to  melt.  At  11:15  AM,  the  ice  inspection  released 
the  launch  hold  at  T-9  minutes  and  an  ‘all  go’  for  launch  was  achieved.  At  11:38  AM, 
the  flight  of  5 1-L  began.  Seventy-three  seconds  later  the  flight  ended  in  an  explosion  that 
destroyed  the  External  Tank  and  exposed  the  orbiter  to  severe  aerodynamic  loads  that  led 
to  catastrophic  failure  of  the  Shuttle.  All  aboard  perished.  The  technical  explanation  of 
the  accident  centered  on  the  failure  of  the  joint  between  two  segments  on  the  right  Solid 
Rocket  Booster  (SRB).  The  O-rings  that  were  intended  to  seal  this  joint  from  hot  gases 
leaking  through  the  joint  failed  to  perform  properly,  due  to  the  extremely  low 

temperatures  for  the  intended  launch  environment.  This  leak  allowed  a  flame  to  emerge 
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from  the  SRB  about  one  minute  into  the  flight.  The  flame  grew  in  size  and  began  to 
impinge  upon  the  External  Tank.  It  quickly  breached  the  tank,  interacting  with  hydrogen 
leaking  from  the  tank.  This  interaction  resulted  in  the  eventual  destruction  of  the  external 
tank  and  orbiter,  73.137  seconds  after  takeoff.6 

B.  COLUMBIA’S  FINAL  MISSION 

The  113th  mission  of  the  Space  Shuttle  Program,  and  the  28th  flight  of  the 
Columbia,  was  mission  STS- 107.  This  was  a  purely  scientific  mission,  dedicated  to  the 
performance  of  a  variety  of  micro  gravity  and  life  science  experiments,  as  well  as  a  joint 
U.S./Israeli  space  experiment.  The  Columbia,  which  flew  the  first  Space  Shuttle  mission 
STS-1,  was  chosen  for  this  mission  because  its  configuration  did  not  allow  it  to  dock  with 
the  international  space  station,  so  it  did  not  fly  on  the  space  station  missions.  However, 
because  of  its  cargo  capabilities,  it  was  better  suited  for  science  missions. 

The  STS- 107  mission  launched  on  January  16,  2002,  and  began  its  doomed 
seventeen-day  mission.  The  day  after  the  launch,  photographic  analysis  detennined  that 
at  81.9  seconds  after  launch,  a  large  piece  of  insulating  foam  separated  from  the  External 
Tank,  and  struck  Columbia's  left  wing  at  a  relative  velocity  of  416  to  573  miles-per-hour. 
After  completing  seventeen  days  of  experiments,  the  orbiter  began  preparations  to  return 
to  earth  on  1  February  2002.  During  the  decent  and  reentry,  the  damage  caused  by  the 
foam  impact  caused  a  failure  of  the  Thermal  Protection  System,  which  allowed 
superheated  air  to  impinge  upon  the  wing’s  internal  aluminum  structure,  causing  a  failure 
of  the  wing,  loss  of  control  of  the  orbiter,  and  eventual  breakup  destroying  the  orbiter  and 
taking  the  lives  of  the  seven-member  crew. 

Like  the  pre-launch  meetings  before  the  Challenger' s  final  flight,  where  NASA 
had  the  opportunity  to  make  a  decision  the  may  have  changed  the  outcome  of  the 
mission,  NASA  had  several  meetings  and  opportunities  to  determine  the  extent  of  the 
damage  to  the  orbiter  after  they  discovered  there  was  an  impact  during  launch.  There 
were  three  requests  for  imaging  of  the  Columbia  while  in  orbit  to  try  to  detennine  if  the 
debris  strike  had  visibly  damaged  any  critical  thermal  tiles.  Each  request  was  denied  by 
NASA’s  upper  management. 

6  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  38. 
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Per  NASA’s  guidelines,  a  Debris  Assessment  Team  was  formed  to  review 
situation  surrounding  the  foam  impact  during  launch.  Although  their  requests  for 
imaging  were  denied,  they  concluded  that  some  heating  might  occur  as  a  result  of  tiles 
damaged  during  the  foam  impact;  however,  their  analysis  did  not  conclude  that  there 
would  be  structural  damage  to  the  orbiter.  The  debris  strike  was  considered  a 
maintenance  issue,  and  was  not  a  concern  to  management.  The  reentry  was  treated  like 
any  other. 
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III.  THE  INVESTIGATIONS 


A.  BACKGROUND 

In  response  to  the  Challenger  accident  President  Ronald  Regan  appointed 
William  Rogers  to  lead  the  Presidential  Commission  on  the  Space  Shuttle  Challenger 
Accident  (The  Rogers  Commission).  In  his  letter  to  President  Reagan,  submitting  the 
Commission’s  report,  Rogers  states  “Our  objective  has  been  not  only  to  prevent  any 
recurrence  of  the  failure  related  to  this  accident,  but  to  the  extent  possible  to  reduce  other 
risks  in  future  flights.”7  Although  the  Commission’s  mandate  from  the  President  was  an 
investigation  of  the  Challenger  accident  and  the  development  of  recommendations  for 
corrective  action,  it  is  clear  that  the  Commission  viewed  its  mandate  as  broad;  to  matters 
beyond  the  accident  that  would  make  future  flights  safer.  While  it  is  certainly  not 
appropriate  to  lay  future  accidents  in  the  hands  of  this  commission,  it  is  appropriate,  in 
light  of  the  Columbia  accident,  to  determine  if  any  of  the  Commission’s  findings  applied 
to  Columbia  accident  or  if  any  of  the  factors  determined  to  be  at  the  cause  of  the 
Columbia  accident  went  unnoted  during  the  Challenger  investigation. 

To  determine  the  causes  of  the  Columbia  accident,  the  Columbia  Accident 
Investigation  Board  (CAIB)  was  formed.  As  with  the  Rogers  Commission,  they  viewed 
their  mandate  as  determining  the  causal  factors  as  well  as  the  physical  factors  responsible 
for  the  accident.  Although  they  never  place  the  blame  on  any  commissions  that  came 
before  them,  the  Columbia  Accident  Investigation  Board  (CAIB)  does  review  many  of 
the  previous  findings  in  an  attempt  to  determine  if  they  could  have  had  a  positive  or 
negative  impact  on  events  leading  up  to  the  Columbia  accident.  “The  Board’s  conviction 
regarding  the  importance  of  these  factors  strengthened  as  the  investigation  progressed, 
with  the  result  that  this  report,  in  its  findings,  conclusions,  and  recommendations  places 
as  much  weight  on  these  causal  factors  as  on  the  more  easily  understood  and  corrected 
physical  cause  of  the  accident.”8 


7  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1. 

8  CAIB,  p.  9. 


9 


B.  INVESTIGATIONS  OF  THE  CHALLENGER  ACCIDENT 

1.  Overview 

The  Rogers  Commission  found  that  the  loss  of  the  Challenger  was  ultimately 
caused  by  a  failure  in  the  joint  between  the  two  lower  segments  of  the  right  Solid  Rocket 
Booster  (SRB).  Of  the  sixteen  findings  presented  by  the  Commission  as  the  “Cause  of 
the  Accident,”  all  dealt  in  some  respect  with  the  technical  rational  for  why  they 
determined  this  was  the  cause.  However,  of  the  nine  recommendations  that  the 
Commission  made  to  the  President  and  NASA  to  help  assure  the  return  to  safe  flight, 
only  Recommendation  I  dealt  specifically  with  the  redesign  of  the  faulty  SRB  joint.  Four 
other  recommendations  (III,  VI,  VII,  and  IX)  dealt  with  additional  technical  and 
maintenance  issues,  unrelated  to  the  SRB,  which  were  uncovered  during  the 
investigation.  The  remaining  four  recommendations  related  to  organizational, 
management  and  communications  changes  with  in  NASA.  These  recommendations 
arose  out  of  the  broader  mandate  that  the  Rogers  Commission  adopted  “. .  .to  reduce  other 
risks  in  future  flights.”9  None  of  the  recommendations  dealt  with  the  political 
environment  within  which  NASA  operates  (Congress,  President’s  Budget,  political 
process,  and  scarce  resources).  In  fact,  in  the  Preface  to  its  report,  the  Commission  stated 
“...the  Commission  did  not  construe  its  mandate  to  require  a  detailed  investigation  of  all 
aspects  of  the  Space  Shuttle  program;  to  review  budgetary  matters  ...  or  supersede 
Congress  in  any  way.”10  The  four  non-technical  recommendations  arose  from  the 
broader  investigation  of  the  accident  that  looked  for  contributing  causes,  historical 
context,  NASA’s  safety  program,  and  pressures  on  the  Space  Transportation  System. 
The  following  sections  will  present  and  review  the  Commission’s  findings  and 
recommendations  that  developed  from  this  broader  investigation.  This  examination  will 
be  used  to  determine  to  what  extent  the  Commissions  findings  comprehensively 
identified  factors  that  contributed  to  the  accident  or  needed  to  be  changed  to  prevent 
future  accidents.  The  investigation  of  this  section  is  limited  to  those  areas  that  the 
Commission  viewed  within  their  mandate  either  by  explicitly  stating  as  such  or  by 


9  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1. 

10  Ibid. 
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implication  due  to  the  topics  presented  in  their  report.  Presentation  and  discussion  of 
areas  of  that  went  beyond  the  mandate  of  the  Commission  will  be  offered  in  the  analysis 
section. 

2.  Contributing  Causes  of  the  Accident 

The  Rogers  Commission  analysis  of  contributing  causes  of  the  accident  identified 
flaws  in  the  decision  making  process  with  regard  to  decision  to  launch.  It  has  become  the 
popular  perception  that  the  Challenger  accident  was  a  combination  of  a  technical  flaw 
with  a  flawed  decision  to  launch  made  by  those  unaware  of  the  recent  history  of  problems 
concerning  the  SRB  joint.  Later  in  this  paper,  we  will  examine  the  validity  of  the 
perception  of  the  flawed  launch  decision;  for  now  we  will  present  the  Rogers 
Commission  basis  for  this  finding  since  this  had  a  profound  impact  on  the 
recommendations  made  by  the  Rogers  Commission. 

On  the  eve  of  the  launch  of  the  Challenger,  a  teleconference  was  convened  to 
allow  Morton  Thiokol  (the  manufacturer  of  the  SRBs)  engineers  to  express  their  concern 
about  launching  in  the  cold  weather  that  was  expected  the  next  day.  The  temperature  was 
predicted  to  be  in  the  low  twenties  degrees  (F)  at  Cape  Canaveral  at  launch  time.  The 
Thiokol  engineers  were  responding  to  a  request  from  NASA  to  assess  the  effects  of  the 
cold  on  the  SRB  performance.  The  Thiokol  engineers  had  expressed  concern  that  the 
resiliency  of  the  O-rings  would  be  affected  by  the  cold,  and  that  a  known  O-ring  erosion 
problem  would  be  made  worse,  threatening  flight  safety.  The  teleconference  involved 
Thiokol  and  two  NASA  Centers  -  Marshall  Space  Flight  Center  (responsible  for  the 
SRBs)  and  Kennedy  Space  Center  (responsible  for  the  launch).  At  this  teleconference, 
Thiokol  indicated  they  thought  launch  should  be  delayed  until  afternoon,  when  the 
temperatures  would  be  higher.  In  response  to  this  recommendation,  a  second,  more 
formal,  teleconference  was  scheduled  for  later  that  same  evening  so  that  more  personnel 
could  be  informed,  and  a  launch  decision  could  be  made. 

At  this  teleconference,  Thiokol  stated  that  the  O-rings  would  be  slower  to  seal 

than  on  the  previous  coldest  launch,  which  had  been  fifty-three  degrees  F,  when 

significant  O-ring  blow-by  had  been  observed.  Therefore,  it  was  recommended  that  the 

launch  not  be  conducted  at  temperatures  below  fifty-three  degrees  F.  In  response  to  the 

recommendation,  NASA  representatives  at  both  Marshall  and  Kennedy  began  to  question 
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Thiokol’s  position  based  on  the  fact  that  there  was  current  no  Launch  Commit  Criteria 
(LCC)  for  SRB  joint  temperature.  Thiokol’s  management  was  pressed  for  a  clarification 
by  NASA.  Thiokol  then  requested  an  off-line,  Thiokol  only  discussion,  before 
responding.  What  ensued  was  a  management  decision  that  resulted  in  a  change  in  the 
Thiokol  position  to  one  of  recommending  launch.  The  NASA  participants  accepted  the 
revised  recommendation.  ThiokoTs  concerns  were  not  communicated  to  the  Level  II 
Flight  Readiness  Review  (FRR)  authority,  the  Manager,  National  Space  Transportation 
Program.  The  Commission  indicates  in  its  findings  that  “had  matters  been  clearly  stated 
and  emphasized  in  the  flight  readiness  process  ...,  it  seems  likely  that  the  launch  of  51-L 
might  not  have  occurred  when  it  did.”11  This  assertion  is  central  to  many  of  the 
recommendations  made  by  the  Commission;  however,  others  who  have  investigated  the 
launch  decision  disagree  with  this  assertion.  Diane  Vaughan,  a  sociologist  who  has 
written  at  length  on  the  underlying  reasons  behind  the  Challenger  accidents,  writes,  “Yet 
communication  problems  were  an  inadequate  explanation  of  the  launch  decision.”  12 

Vaughan’s  investigation  revealed  that  in  the  minds  of  those  involved  with  the 
launch  decision  as  a  result  of  the  teleconference,  that  there  was  no  need  to  elevate  the 
decision  because  it  was  a  Level  III  FRR  issue,  which  had  been  resolved  at  that  level.  As 
such,  and  because  it  did  not  involve  a  violation  of  any  existing  LCC,  it  did  not  need  to  be 
communicated  to  a  higher  level.  Further,  those  individuals  higher  in  the  readiness 
approval  process  are  dependent  upon  those  at  the  lower  levels  to  provide  infonnation  and 
analysis  to  make  their  decisions.  By  the  time  the  teleconference  was  completed  the 
documentation  indicated  consensus  between  the  organizations  participating  in  the 
teleconference.  By  identifying  the  resulting  action  from  the  teleconference  as  “a  serious 
flaw  in  the  decision  making  process,”  the  Commission  did  not  provide  sufficient  basis  for 
correcting  the  underlying  reason  that  the  information  provided  by  Thiokol  engineers  on 
the  eve  of  the  launch  did  not  result  in  a  decision  to  delay  the  launch. 

The  Rogers  Commission’s  Recommendation  II  appears  to  be  a  direct  result  of  the 
perceived  flawed  launch  decision  process.  This  recommendation  included  modifications 

11  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1. 

12  D.  Vaughan,  The  Challenger  Launch  Decision,  p.  1 1,  The  University  of  Chicago  Press,  Chicago, 
1996. 
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to  the  shuttle  management  structure  and  establishment  of  an  STS  Safety  Advisory  Panel. 
The  proposed  changes  in  the  shuttle  management  structure  were  focused  on  the  fact  that 
various  elements  of  the  Shuttle  program  felt  more  accountable  to  their  center 
management  that  to  the  overall  Shuttle  program  organization.  The  recommendation  was 
to  strengthen  the  Shuttle  Program  Manager  position  by  placing  all  program  funding  and 
all  Shuttle  Program  work  at  the  NASA  Centers,  under  Program  Manager’s  authority.  The 
charter  of  the  STS  Safety  Advisory  Panel  advocated  in  this  recommendation  was  to 
include  Shuttle  operational  issues,  launch  commit  criteria  (LCC),  flight  rules,  flight 
readiness,  and  risk  management.  The  STS  Safety  Advisor  Panel  would  report  directly  to 
the  Shuttle  Program  Manager. 

Recommendation  V,  Improved  Communication,  also  arose  as  a  result  of  the 
Commission’s  investigation  of  contributing  causes  of  the  accident.  The  rational  for  this 
recommendation  flows  from  the  tendency  for  isolation  at  the  various  Space  Centers  with 
respect  to  communication,  especially  of  problems,  to  higher  levels.  This  is  the  only 
recommendation  from  the  Commission  that  specifies  possible  personnel  action  as  a  result 
of  the  accident,  when  it  recommended  these  tendencies  should  be  addressed  “...by 
changes  of  personnel,  organization,  indoctrination  or  all  three.”13  The  assertion  by  the 
Commission  that  the  communication  problems  bordered  on  misconduct  will  be  analyzed 
in  more  detail  later  in  this  paper. 

During  the  investigation  of  the  contributing  factors  of  the  accident,  the  Rogers 
Commission  found  that  the  “NASA  appeared  to  be  requiring  a  contractor  to  prove  that  it 
was  not  safe  to  launch,  rather  than  proving  it  was  safe.”  In  his  discussion  of  the  launch 
decision  process,  McConnell  states,  “Rather  than  demanding  that  all  those  supporting  the 
launch  prove  that  conditions  were  safe,  the  senior  members  of  the  launch  team  demanded 
that  their  subordinates  and  the  contractor  representatives  prove  that  is  was  not  safe  to 
launch”14.  Interestingly,  seventeen  years  later,  in  laying  out  the  priorities  for  returning  to 
flight  after  the  Columbia  accident,  NASA  Administrator  Sean  O’  Keefe  indicated  that  a 


13  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p200. 


14  M.  McConnell,  Challenger  A  Major  Malfunction,  p.  210.  Doubleday  and  Company,  Garden  City, 
NY,  1987. 
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shift  was  once  again  needed  from  “prove  to  me  that  it’s  not  safe”  to  “prove  to  me  that  it  is 
safe.”15  The  reasons  behind  this  apparent  illogical  pattern  will  be  examined  in  more 
detail  in  this  report. 

3.  Historical  Contexts 

The  Rogers  Commission  devotes  a  section  of  its  report  to  the  historical  contexts 
of  the  accident.  According  to  the  Commission’s  report,  the  accident  “began  with 
decisions  made  in  the  design  of  the  joint  and  in  the  failure  by  both  Thiokol  and  NASA’s 
Solid  Rocket  Booster  project  office  to  understand  and  respond  to  facts  obtained  during 
testing.”16  For  purposes  of  the  analysis  presented  here,  since  the  Commission  includes 
the  impacts  of  historical  design  decisions  in  its  investigatory  findings,  it  is  appropriate  to 
consider  the  extent  to  which  there  findings  were  complete.  Other  investigators  of  the 
Challenger  accident  trace  the  historical  roots  back  much  further  than  did  the  Rogers 
Commission.  McConnell  indicates  that  during  negotiations  in  the  early  1970’s,  in  order 
to  get  approval  from  Congress,  NASA  was  forced  to  compromise  on  the  Shuttle  design.17 
Vaughan  points  out,  regarding  the  final  design  decision,  “The  final  design  was  far  from 
NASA’s  original  concept.”18  Although  NASA  was  given  responsibility  (and  would 
ultimately  be  accountable)  for  reaching  the  Nation’s  space  goals,  the  ability  to 
accomplish  these  goals  had  been  constrained  by  other  organizations  within  the 
environment  that  NASA  had  to  operate.  Joseph  Trento,  in  his  book  “Prescription  for 
Disaster,”  states  that  the  shuttle  would  have  to  be  a  “politically  acceptable  machine.”19 
This  was  in  stark  contrast  to  the  freedom  and  seemingly  limitless  budget  that  NASA  was 
given  to  achieve  its  goals  and  meet  the  Nation’s  aspirations  in  the  Apollo  program. 

While  the  Rogers  report  goes  on  to  present  six  findings  related  to  the  historical 
context  of  the  accident,  all  of  the  findings  relate  to  the  SRB  joint  design.  There  is  no 
discussion  offered  in  the  report  concerning  the  fact  that  the  Shuttle  that  was  eventually 
produced  by  NASA  was  not  considered  the  best  technical  solution  to  the  mission.  The 

15  M.  Wims,  “NASA  must  ‘move  forward,’  leader  says,  ”  The  Providence  Journal,  p.  B-l,  7  Sept  03. 

16  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  148. 

17  McConnell,  p  38. 

18  Vaughan,  p  22. 

19  J.J.  Trento,  Prescription  for  Disaster,  p.  96.  Crown  Publishers,  Inc,  New  York,  1987. 
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preferred  concept  that  NASA  envisioned  was  a  completely  reusable  two-stage  system. 
This  concept  consisted  of  a  manned  first  stage,  large,  winged  rocket  booster,  which 
would  carry  a  smaller,  winged,  manned  orbiter.  Each  vehicle  would  be  returned  for 
landing  by  its  crew  after  the  mission  and  would  be  refurbished  for  the  next  mission.  This 
Space  Shuttle  concept  was  acknowledged  as  a  very  expensive  approach,  with  high 
Research  and  Design  (R&D)  and  non-re-occurring  costs,  but  less  expensive  to  operate, 
long  term.  When  NASA  was  told  that  its  design  was  unaffordable,  NASA  embarked 
down  the  path  of  compromise  that  has  led  to  the  vehicle  they  operate  today. 

There  are  several  important  aspects  of  the  original  design  that  were  eventually 
changed  for  the  final  design  that  relate  to  the  Shuttle  accidents,  which  went 
unacknowledged  by  the  Rogers  Commission.  First,  all  of  the  propulsion  systems  in  the 
original  design  were  to  have  been  cryogenic  liquid  propellants;  which  would  have 
avoided  the  difficulties  associated  with  designing  and  operating  solid  rocket  boosters. 
When  NASA  began  to  compromise  the  design  in  order  to  keep  the  project  alive,  one  of 
the  first  changes  was  to  make  the  system  “partially”  reusable  by  using  an  expendable, 
external  tank  to  feed  the  orbiter’s  engines  and  two  strap-on  reusable  boosters  to  provide 
the  required  lift-off  thrust.  However,  the  design  studies  indicated  that  due  to  the 
extensive  rework  requirements  associated  with  the  plumbing  systems  after  a  water  impact 
recovery,  a  liquid-rocket  booster  design  would  be  unable  to  meet  the  rapid  turn  around 
requirements  for  the  boosters.20  Cost  studies  also  indicated  that  the  liquid  systems  would 
be  more  expensive  than  solid  rockets21.  Therefore,  the  external  boosters  shifted  to  a  solid 
propellant  design  in  order  to  make  the  Shuttle  affordable  enough  to  build.  According  to 
Trento,  experts  such  as  Von  Braun  viewed  the  decision  to  use  solid  rockets  as  a 
dangerous  one  22  Solid  rockets  once  initiated,  could  not  be  shut  down.  The  design  of  the 
SRBs,  as  they  came  to  be  known,  was  driven  by  the  need  to  transport  the  boosters  from 
the  manufacturing  facility  to  the  launch  complex  in  Florida.  As  a  result,  the  segmented 
design  emerged,  with  the  joint/O-ring  design  that  was  ultimately  blamed  for  the 
Challenger  accident. 

20  McConnell,  p.  210. 

21  Trento,  p.  114. 

22  Trento,  p.  107. 
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The  second  aspect  relates  to  differences  in  the  orbiters  envisioned  in  the  original 
design  versus  the  orbiters  that  are  currently  in  use.  The  original  orbiter  design  included 
with  the  piloted,  winged  booster  was  much  smaller  than  the  orbiter  eventually  built. 
Because  of  the  capability  of  the  original  booster,  the  orbiter  did  not  need  to  have  as 
powerful  engines  as  the  current  orbiter.  However,  the  change  in  the  booster  concept 
resulted  in  growth  in  the  size  of  the  orbiter.  A  more  profound  impact  to  the  orbiter  design 
was  made  to  ensure  buy-in  from  the  Air  Force.  In  order  to  meet  the  needs  of  the  Air 
Force,  the  orbiter  had  to  be  able  to  perfonn  a  thousand-mile  cross  range  capability  on  it 
reentry  glide  path.23  The  original  NASA  design  was  for  a  slow,  straight-wing  glider  that 
could  not  meet  this  requirement.  Instead,  in  order  to  ensure  support  of  the  Air  Force, 
NASA  redesigned  the  orbiter;  resulting  in  the  high-speed,  delta-winged  orbiter  that  was 
eventually  built.  This  new  design  needed  to  employ  an  extreme  glide  slope  and  land  at 
extremely  high  speeds.  The  implications  of  the  change  in  design  had  profound  impacts 
on  the  performance  of  the  orbiter  during  reentry.  The  design  solution  of  lightweight 
silicon  tiles  to  solve  the  heating  problem  of  reentry  emerged  during  the  design  of  the 
original  orbiter.  In  fact,  the  short  fuselage  configured  with  straight,  high-lift  wings  of  the 
original  orbiter  design  was  well  suited  to  the  use  of  the  tiles.  However,  the  redesigned 
delta-wing  concept  considerably  increased  the  complexity  of  this  approach  and  created 
unusual  stresses  and  vibrations  that  did  not  exist  in  the  original  design.24  Additionally, 
the  delta-wing  orbiter  needed  to  maneuver  at  much  higher  speeds  during  reentry  than  the 
original  design.  This  exposed  the  shuttle  to  higher  temperatures  for  longer  durations. 
The  response  to  this  was  to  increase  the  density  of  the  protective  tiles.25  The  factors 
associated  with  the  design  changes  on  reentry  dynamics  and  implications  on  protective 
tiles  were  not  a  factor  in  the  Challenger  accident,  and  none  of  the  findings  or 
recommendations  made  by  the  Rogers  Commission  resulted  from  these  factors. 
However,  the  relationship  to  the  Columbia  accident,  particularly  as  it  relates  to  the  orbiter 
redesign,  needs  to  be  further  explored. 


23  McConnell,  p.  37. 

24  Ibid.,  p.  40. 

25  Ibid.,  p.  39. 
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Although,  the  Rogers  Commission’s  recommendation  VII  called  for  NASA  to 
make  all  efforts  to  provide  a  crew  escape  system  for  use  during  controlled  flight  there 
was  little  discussion  in  the  Commissions  report  documenting  the  history  of  the  crew 
escape  options  investigated.  NASA  spent  considerable  time  and  effort  investigating 
modifications  to  the  shuttle  that  would  incorporate  an  escape  system,  it  was  determined  to 
be  unrealistic  to  modify  the  existing  shuttle  design.  Since  this  is  one  of  the 
recommendations  that  was  not  implemented  by  NASA  in  the  years  following  the 
Challenger  accident,  it  is  worth  investigating  other  authors’  findings  in  this  area  relating 
to  historical  decisions  that  lead  to  the  current  design.  All  previous  manned  spacecraft, 
preceding  the  shuttle,  had  been  fitted  with  the  ability  to  extract  the  crew  capsule  in  the 
early  stages  of  the  mission.26  Accordingly,  it  was  the  going  in  position  in  the  early  days 
of  the  design,  that  the  Space  Shuttle  would  also  have  provisions  for  crew  escape. 
Rockwell  had  conducted  a  study  of  ejection  seat  options  for  the  shuttle  in  1971. 
Depending  on  the  source,  the  reason  for  not  implementing  an  escape  system  was  either 
cost27  ($10M  for  an  ejection  seat  to  $292M  for  a  full  crew  compartment  escape)  or  added 
weight.28  The  added  weight  had  emerged  from  the  change  to  the  delta-wing  orbiter  and 
the  subsequent  large  increase  in  the  number  and  weight  of  tiles,  another  design 
compromise  that  was  now  being  dealt  with  by  another  design  compromise  due  to 
confidence  “that  enough  safety  could  be  engineered  into  the  space  shuttle’s  propulsion 
system  to  obviate  the  need  for  escape  rockets.”29 

The  Commission  labeled  another  contributing  factor  in  the  Challenger  accident, 
which  has  its  roots  in  the  history  of  the  Space  Shuttle  program,  as  “Pressures  on  the 
System.”  The  Commission  found  that  the  Shuttle  program  was  unable  to  meet  the  flight 
rate  schedule  due  to  a  number  of  factors.  However,  this  fact  was  never  organizationally 
acknowledged  by  NASA  in  the  years  leading  up  to  the  Challenger  accident  in  order  to 
maintain  support  for  the  Shuttle  program  within  the  environment  within  NASA  operated. 
This  resulted  in  an  underlying  stress  on  the  system,  and  those  working  within  it,  to  meet 

26  McConnell,  p.  39. 

27  Trento,  p.  138. 

28  McConnell,  p.  40. 

29  Ibid.,  p.  40. 
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expectations.  However,  the  Commission  claims  that  “NASA  had  not  provided  adequate 
resources  for  its  [the  flight  rate]  attainment.”30  However,  the  Commission  did  not 
investigate  the  reason  why  NASA  did  not  have  sufficient  resources  due  to  its 
interpretation  of  its  mandate  as  not  including  “to  review  budgetary  matters.31”  In  spite  of 
this  exclusion  it  is  notable  that  included  in  the  Appendix  material  to  the  Commission’s 
report  are  personal  observations  from  R.P.  Fryman,  one  of  the  Commission  Members 
who  maintains  that  management  tends  to  underestimate  the  probability  of  failure  in  “an 
attempt  to  assure  the  government  of  NASA  perfection  and  success  in  order  to  ensure  the 
supply  of  funds.”32  Arising  from  the  Commission’s  review  of  these  pressures  was 
Recommendation  VIII  -  Flight  Rate.  In  this  recommendation,  NASA  was  directed  to 
establish  a  flight  rate  that  was  consistent  with  its  resources.  In  response  to  this 
recommendation,  NASA  formed  the  Flight  Rate  Capability  Working  Group  that  was 
tasked  to  develop  to  determine  a  realistic  flight  rate  and  set  out  to  develop  a  more  rigid 
cargo  manifest  policy,  to  reduce  the  impact  to  cargo  manifest  changes  on  flight 
preparation.  Separately,  the  National  Research  Council  was  asked  by  the  House  of 
Representatives  to  assess  the  flight  rate  capability  of  the  Shuttle  system.33  In  NASA’s 
report  on  Implementation  of  the  Recommendations  NASA  indicated  that  their  projection 
was  a  maximum  capability  of  fourteen  flights  per  year  (assuming  a  replacement  orbiter 
for  Challenger)  and  that  the  NRC  detennined  that  an  eight  to  ten  flight/year  rate  was 
sustainable  with  three  orbiters  or  eleven  to  thirteen  with  four  orbiters.34  However,  in 
neither  NASA’s  response  nor  implementation  report  was  there  any  discussion  relating  to 
the  fact  that  any  flight  rate  requirement  will  continue  to  impose  pressure  to  meet  the 
flight  rate,  and  thereby  influence  the  culture  of  the  agency  of  bowing  to  schedule 
demands.  In  fact,  the  most  flights  ever  achieved  after  1986,  leading  up  to  the  Columbia 


30  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  164. 

31  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1. 

32  Ibid.,  Volume  II,  Appendix  F,  p.  F-4. 

33  National  Research  Council,  Post-Challenger  Evaluation  of  Space  Shuttle  Risk  Assessment  and 
Management,  National  Academy  Press,  Washington  D.C.,  January  1988. 

34  National  Aeronautics  and  Space  Administration  (NASA),  “Actions  to  Implement  the 
Recommendations  of  The  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,” 
Government  Printing  Office,  Washington,  D.C.,  July  1986. 


18 


accident  was  nine  flights  in  1998.  Between  1994  (when  the  Implementation  report 
indicated  that  full  capability  would  be  achieved)  and  2002,  the  agency  averaged  a  little 
more  than  six  flights  per  year. 

While  the  Commission  report  breaks  out  its  discussion  of  “Pressures  on  the 
System,”  as  distinct  from  its  discussion  of  the  historical  context,  the  two  are  inseparable. 
While  the  effects  of  this  pressure  will  be  elaborated  later  in  this  paper,  it  is  appropriate  to 
record  the  development  of  these  pressures  in  a  historical  context,  which  was  not  done  by 
the  Commission.  As  the  space  program  transitioned  from  the  Apollo  program  (which  had 
received  almost  unconditional  congressional  and  public  support)  to  the  Shuttle  program, 
NASA  increasingly  found  itself  trying  to  sell  the  Space  Shuttle  as  economical  and  self  - 
supporting.  The  Office  of  Management  and  Budget  (OMB)  had  demanded  that  the 
shuttle  be  proved  economical,  and  NASA  produced  studies  that  provided  the  needed 
justification.  In  the  earliest  stages  of  conceptualization  of  the  “Space  Transportation 
System,”  turn  around  times  as  short  as  two  weeks  were  cited.35  Later,  as  NASA 
continued  to  be  pressured  to  show  Congress  and  the  OMB  that  the  final,  ‘partially’ 
reusable  shuttle  design  would  be  cost  effective,  they  commissioned  the  research  firm 
Mathematica  to  study  Shuttle  program  economics.  The  Mathematica  study  indicated  that 
the  shuttle  would  pay  for  itself  if  it  flew  as  few  as  thirty  flights  a  year.36  After  the  Space 
Shuttle  was  declared  “operational”  in  1982,  it  was  clear  that  the  economies  of  the  Space 
Shuttle  laid  down  in  the  early  days,  were  not  going  to  be  met.  Nevertheless,  in  1982 
NASA  projected  a  flight  rate  of  twelve  in  1984,  fourteen  in  1985,  seventeen  in  1986  and 
1987  and  reaching  twenty-four  in  1988.  However,  what  was  actually  achieved  was  just 
five  in  1984  and  eight  in  1985.  What  NASA  found  as  it  transitioned  from  the 
developmental  stage  of  the  program  to  the  “operational”  status  is  that  the  budget  did  not 
follow;  the  budget  that  controlled  facilities  and  equipment  did  not  support  the  needs  of  a 
mature  system.  In  fact,  NASA  sent  out  invitations  to  bid  on  the  shuttle  operations 
program  to  United  Airlines  and  American  Airlines37;  an  indication  of  the  level  of 
maturity  that  NASA  felt  had  been  reached  in  the  shuttle  program.  Resources  that 

35  McConnell,  p.  33. 

36  Ibid.,  p.  41. 

37  Email  correspondence  from  ADM  (Ret)  Donald  Eaton,  10  February  2006. 
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previously  had  been  devoted  to  a  single  flight  were  now  spread  across  multiple  missions. 
This  was  the  setting  entering  1986  and  resulted  in  the  pressures  to  achieve  the  flight  rate 
in  order  show  that  the  Shuttle  could  be  economically  viable.  NASA’s  proud  heritage  also 
added  to  these  pressures  as  the  agency  tried  to  maintain  its  positive  public  image  in  the 
face  of  several  high  profile  (and  at  times  embarrassing)  events.  A  series  of  seven  delays 
had  plagued  the  Columbia  mission  that  immediately  preceded  the  Challenger  launch.  In 
addition,  NASA  was  battling  criticism  from  the  scientific  community  that  NASA  had 
reduced  its  commitment  to  scientific  exploits  in  favor  of  operation  of  a  “Space  Truck.” 
As  Vaughan  states,  “externally  generated  pressures  on  the  organization  were  met  with 
internally  generated  ones  increasing  system  stress.”  38 

4.  Safety 

Another  major  portion  of  the  Rogers  Commission  report  was  devoted  to  what  it 
called  the  “Silent  Safety  Program.”  The  Commission’s  findings  with  respect  to  the  safety 
program  indicate  that  during  investigatory  questioning,  the  safety  staff  was  never 
mentioned.  In  particular,  they  cite  the  lack  of  involvement  of  safety,  quality  assurance,  or 
reliability  personnel  in  the  teleconference  that  led  to  the  launch  decision  for  Challenger. 
Two  of  the  major  findings  were  that  NASA  had  reduced  the  work  force  in  these  areas, 
severely  limiting  capability,  and  that  the  organizations  that  did  exist  had  been  placed 
under  the  supervision  of  the  activities  whose  efforts  they  were  monitoring.  As  a  result  of 
these  findings,  Recommendation  IV  was  made  by  the  Commission,  centering  on  the 
Safety  organization.  Specifically,  the  Commission  calls  for  the  formation  of  an  Office  of 
Safety,  Reliability  and  Quality  Assurance  that  reports  directly  to  the  NASA 
Administrator,  independent  of  other  NASA  functional  and  program  responsibilities. 
Further,  the  recommendation  calls  for  this  office  to  be  staffed  with  adequate  resources. 
The  relevance  to  this  recommendation  to  the  Columbia  accident  will  be  discussed  in 
more  detail  later  in  this  paper. 

While  it  is  undeniable  that  inadequate  attention  to  safety  considerations  played  a 
role  in  the  Challenger  accident,  by  the  limitations  on  the  Commission’s  mandate  the 
underlying  reasons  for  the  state  of  the  safety  program  were  perhaps  not  fully  investigated. 
The  Commission  found  that  the  “exactingly  thorough”  procedures  that  existed  during  the 
38  Vaughan,  p.  30. 
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Apollo  program  had  become  ineffective  by  1986  and  this  seriously  degraded  the  checks 
and  balances  required  for  proper  flight  safety.  Other  investigators  also  found  that  this 
trend,  but  delved  further  into  the  reasons.  Just  as  NASA  compromised  the  design  of  the 
Space  Shuttle  for  the  purposes  of  making  the  Shuttle  politically  acceptable,  in  the  very 
early  stages  of  the  program  NASA  also  cut  spending  on  safety  testing  for  shuttle 
components  in  a  move  to  economize39.  While  this  approach  diverged  from  that  of  the 
Apollo  program,  NASA’s  view  was  that  this  was  acceptable  due  to  the  agency’s 
experience  base  in  space  flight.  Once  again,  the  difference  between  the  almost  unlimited 
budget  for  the  Apollo  program  and  the  highly  scrutinized  budget  for  the  Shuttle  program 
certainly  played  a  role  in  the  how  NASA  approached  the  development  of  the  Space 
Shuttle.  Many  investigators  of  the  Safety  philosophy  at  NASA  in  the  early  Shuttle  days 
agree  with  Howard  McCurty  who  found  that  NASA  culture  had  not  abandoned  safety 
principles  that  existed  in  the  original  agency,  but  it  had  been  eroded  due  to  difficulties  in 
carrying  out  the  practices  associated  with  those  principles  as  compared  to  the  Apollo 
program.40  According  to  Vaughan,  NASA  had  experienced  a  move  away  from  a 
technical  emphasis  towards  management  of  contractors.41  According  to  Trento,  as  time 
went  on  this  situation  deteriorated,  with  NASA  losing  the  capability  to  technically  verify 
contractor’s  work  by  the  end  of  1980.  At  this  time,  NASA  became  dependent  upon  the 
military  for  many  of  its  inspections,  and  many  of  the  NASA  safety  veterans  were 
leaving  42 

The  findings  and  recommendation  of  the  Commission  centered  upon  a  lack  of  a 
safety  program,  and  the  fact  that  the  safety  organization  was  embedded  in  the 
organization  it  was  to  regulate.  At  the  time  of  the  accident  a  review  of  the  safety 
organization  within  NASA  would  have  revealed  a  safety  organization  at  each  Center 
known  as  the  Safety,  Reliability,  and  Quality  Assurance  Program  (SR&QA)  and  the 
Space  Shuttle  Crew  Safety  Panel  (SSCSP)  which  was  a  made  up  of  representatives  from 
across  NASA.  The  SR&QA  were  responsible  to  the  individual  Centers  in  that  Center’s 

39  D.  Stuart ,  “NASA  Cut  or  Delayed  Safety  Spending,”  New  York  Times,  24  April  1986. 

40  H.E.  McCurdy,  Inside  NASA:  High  Technology  and  Organizational  Change  in  the  U.S.  Space 
Program,  Johns  Hopkins  University  Press,  Baltimore  1993. 

41  Vaughan,  p.  210. 

42  Trento,  p.  176. 
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area  of  expertise,  whereas  the  SSCSP  was  tasked  specifically  with  identifying  hazards  to 
the  crew  and  advising  shuttle  management.  While  these  organizations  could  be 
considered  internal  regulators,  a  third  panel  the  Aerospace  Safety  Advisory  Board 
(ASAP)  which  was  formed  as  a  result  of  the  Apollo  1  launch  pad  fire,  was  made  up  of 
outside  experts.  Neither  the  SSCSP  (which  was  less  embedded  than  the  SR&QA)  nor  the 
ASAP  identified  the  O-ring  problems  with  the  SRB,  despite  their  different  organizational 
alignments.  The  only  group  that  did  identify  the  problem  was  the  SR&QA  engineers;  the 
most  organizationally  embedded  of  the  three  panels.  However,  due  to  their  dependency 
on  the  work  group  within  they  existed,  they  were  influenced  by  the  organizational  view 
of  the  problem  and  concurred  with  the  work  group’s  analysis  of  the  situation. 

The  preceding  discussion  concerning  the  safety  organizations  that  existed  at  the 
time  of  the  Challenger  accident  is  indicative  of  some  of  traits  of  regulatory  groups  that 
may  not  have  been  fully  considered  by  the  Commission  in  their  findings  and 
recommendations.  Vaughan  gives  an  excellent  comparison  of  the  relative  strengths  and 
weakness  of  internal  versus  external  regulation,  and  why  neither  is  entirely  effective.43 
External  groups  exhibit  the  desired  trait  of  autonomy  and  as  such  are  able  to  bring  to  the 
evaluation  a  fresh  viewpoint  and  ability  to  make  judgments  without  regard  to 
organizational  consequences.  One  would  expect  that  these  are  the  traits  that  the 
Commission  was  after  in  its  recommendation  to  establish  a  new  Safety  Office  at  the 
Headquarters  level.  This  sort  of  recommendation  is  very  often  the  response  to  an 
undesired  outcome  that  investigators  detennine  could  have  been  prevented  by  higher- 
level  scrutiny.  However,  such  recommendation  must  reconcile  the  downsides  of  an 
external  regulatory  body.  One  such  downside  is  that  the  external  body  often  has  limited 
access  to  information  that  is  vital  to  its  oversight  and  has  a  difficult  time  fully 
understanding  the  implications  of  what  it  does  access.  While  it  is  possible  that  this  could 
be  due  to  a  conscious  attempt  by  the  regulate  to  withhold  information  it  is  just  as  often 
related  to  the  fact  the  external  agents  are  not  continuously  present  as  the  information 
emerges  and  analyzed.  As  a  result  the  external  regulator  often  becomes  dependent  upon 
the  organization  it  is  regulating  for  both  information  and  interpretation;  the  very 
phenomena  that  the  outside  organization  was  created  to  prevent.  On  the  other  hand,  the 
43  Vaughan,  p.  265. 
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internal  regulator  has  definite  advantages  with  respect  to  uncovering  and  investigating 
problems  because  they  have  more  timely  access  and  understanding  to  the  infonnation  that 
will  reveal  problems.  However,  the  downside  (well  recognized  by  the  Rogers 
Commission  and  others)  is  the  interdependence  the  regulators  share  with  the  parent 
organization  for  resources  and  the  shared  organizational  goals  that  lessen  the 
aggressiveness  of  the  regulator. 

The  ASAP  is  an  excellent  example  of  an  external  regulatory  group  that  was 
established  to  avoid  some  of  the  pitfalls  of  interdependence  but  in  tenns  of  the  O-ring 
problem  was  ineffective.  The  SR&QA  groups  are  excellent  examples  of  what  needs  to 
be  considered  when  an  internal  regulator  is  established.  The  Commission  blamed  the  fact 
that  inadequate  resources  had  been  provided  to  the  SR&QA  staff,  and  that  the  staffs  had 
been  reduced.  While  it  is  clear  that  NASA’s  trend  toward  decreasing  emphasis  on  safety 
needed  to  be  addressed  by  the  Commission,  it  is  not  clear  that  their  recommendations  by 
themselves  would  correct  the  problems.  Nor  is  it  clear  that  had  more  people  been 
assigned  in  the  role  of  safety  within  the  organizations  that  existed  at  the  time  of  the 
Challenger  accident  that  the  situation  would  have  been  altered.  There  were  plenty  of 
individuals  who  participated  on  a  daily  basis  in  the  evaluation  of  the  O-ring  design  and 
associated  launch  anomalies  who  agreed  with  the  organizational  position.  The 
Commission’s  response  to  this  was  to  enforce  safety  by  having  it  reviewed  at  a  higher, 
autonomous  level.  However,  for  the  reasons  presented  above,  this  solution  is  difficult  to 
ensure  success.  The  ability  of  this  new  safety  structure  to  improve  safety  in  the  Post 
Challenger  years  will  be  explored  in  more  detail  in  relationship  to  the  Columbia  accident 
later  in  this  paper. 

5.  Other 

In  addition  to  documenting  the  primary  technical  cause  of  the  accident  and  the 
contributing  aspects  discussed  above  as  well  as  issuing  recommendations  to  reduce  these 
causes,  the  Rogers  Commission  felt  compelled  to  dedicate  a  section  to  additional  safety 
considerations  that  arose  during  the  investigation.  These  matters  did  not  factor  into  the 
accident  that  befell  mission  51-L,  but  held  the  possibility  for  safety  problems  in  the 
future.  The  first  area  of  specific  safety  findings  and  recommendations  dealt  with  the 
ascent  phase  and  the  fact  that  there  is  not  capability  for  crew  escape  and  Orbiter  abort 
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capabilities.  The  second  area  of  specific  safety  findings  and  recommendations  had  to  do 
with  landing  operations.  It  is  important  to  note  that  the  issues  with  respect  to  landing  had 
to  do  tires,  braking,  steering,  and  landing  criteria  at  Kennedy  versus  Edwards.  Although 
entry  of  the  Shuttle  was  acknowledged  as  dynamic,  demanding,  and  high  risk,  reentry 
was  not  considered  as  part  of  the  landing  safety  concerns. 


C.  POST  CHALLENGER  INVESTIGATIONS 

The  Challenger  accident  has  spurred  numerous  analyses,  investigations,  research, 
and  publications  seeking  to  leam  from  the  accident  in  terms  of  its  technical,  political,  and 
organizational  lessons.  While  the  Rogers  Commission  and  Congressional  investigations, 
by  there  nature,  had  to  respond  to  the  accident  quickly  in  order  to  restore  the  United 
States  Space  Program,  these  subsequent  analyses  had  the  benefit  of  a  longer  period  of 
time,  and  from  the  position  of  the  investigators  being  autonomous  and  “outsiders.”. 
Therefore,  these  analyses  offer  important  insight  into  the  causes  of  the  accident.  Where 
the  analysis  from  these  sources  directly  related  to  the  findings  and  recommendations  of 
the  Rogers  Commission,  those  analyses  were  presented  along  with  the  Commissions 
findings  and  recommendations  in  the  previous  section.  However,  there  are  several  areas 
that  these  analyses  identify  that  did  not  have  a  parallel  in  the  report  of  the  Commission. 
Those  findings  are  presented  here  to  provide  insight  into  areas  to  permit  these  analyses  to 
also  be  considered  with  respect  to  the  objectives  of  this  paper. 

According  to  Vaughan,  her  initial  intent  in  studying  the  Challenger  accident  was 
to  investigate  occurrences  of  organizational  misconduct  or  amoral  calculation  that  had 
been  alleged  in  many  reports  on  the  Challenger  accident.  These  allegations  arose  in  the 
Rogers  report  in  tenns  of  the  withholding  of  information  during  the  launch  decision  on 
the  eve  of  the  launch,  the  decision  process  related  to  the  design  of  the  SRB  joints,  and  the 
suppression  of  technical  data  indicating  flaws  in  the  design.  These  allegations  also  arose 
in  the  House  Committee  on  Science  and  Technology  report  that  indicated  the  launch 
decision  was  a  result  of  “management  incompetence.44”  However,  as  Vaughan  analysis 

44  House  of  Representatives,  Committee  on  Science  and  Technology,  Ninety-Ninth  Congress, 
Investigation  of  the  Challenger  Accident,  Report  of  the  Committee  on  Science  and  Technology’, 

Government  Printing  Office,  Washington,  D.C.,  1986. 
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unfolds  she  asserts  that  those  involved  in  the  both  the  launch  decision  and  the  technical 
assessment  of  the  SRB  joint  did  not  represent  examples  of  organizational  misconduct  or 
amoral  calculation,  but  rather  were  products  of  the  culture  and  nonns  of  the  agency  itself. 

Vaughan’s  analysis  centers  on  the  concept  of  gradual  acceptance  of  risk  and 
nonnalization  of  deviance.  NASA  practiced  a  process  of  determining  Acceptable  Risk. 
This  was  a  formal  process  of  conferring  a  risk  status  on  each  component.  Hazards  that 
could  not  be  eliminated  or  controlled  were  subjected  to  a  formal  risk  assessment.  A 
component  could  be  classified  as  an  Acceptable  Risk  only  on  the  basis  of  documented 
analysis  of  the  problem,  the  probability  of  its  recurrence,  and  data  supporting  a 
conclusion  of  acceptable  risk.  The  work  group  that  made  decisions  concerning  the  SRB 
joints  conformed  to  NASA’s  procedure  for  hazard  analysis.  In  fact,  many  components  of 
the  Space  Shuttle  were  routinely  flown  under  the  category  of  “acceptable  risk.” 

The  SRB  design  decision  is  an  example  of  the  normalization  of  deviance.  This 
concept  is  that  based  on  the  fact  that  when  a  group  shares  expectations  of  a  certain  result, 
the  group  will  tend  to  continue  to  believe  these  expectations  even  when  faced  with 
contrary  evidence.  As  the  Rogers  report  correctly  indicates  there  had  been  numerous 
examples  of  O-ring  erosion  and  blow-by  over  the  years,  however  this  behavior  was 
explained  in  each  case  and  used  to  demonstrate  the  fact  that  the  design  was  in  fact  robust. 
That  is,  the  system  had  held  together  even  in  light  of  a  history  of  erosion  and  blow-by. 
Interestingly,  the  work  group  who  approved  the  launch  was  the  same  group  that  had 
nonnalized  the  deviant  results  on  the  booster  joints  over  the  years.  The  first  step  down 
this  road  was  taken  prior  to  the  first  flight,  when  after  significant  analysis  of  the  SRB 
joint,  based  upon  concerns  expressed  by  NASA  engineers,  the  SRB  was  certified  as  flight 
worthy.  The  engineers  who  had  conducted  the  analysis  had  made  a  slight  design 
correction  and  believed  they  understood  the  joint  dynamics  and  that  it  was  an  acceptable 
risk.45  This  marked  the  first  example  of  accepting  the  risk  and  many  attempts  to  correct 
the  design  rather  than  redesign;  eventually  this  became  the  accepted  response  to  abnormal 
behavior  of  the  joints  -  tweak  the  design,  but  don’t  stop  and  take  a  hard  look  at  what  is 
fundamentally  going  on.  Vaughan  states,  “The  first  decision  establishes  precedent  that 
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becomes  a  normative  standard  for  future  decisions  in  similar  cases,  paving  the  way  for 
development  of  a  pattern.”46  Eventually  if  an  individual  questions  the  precedent  and  tries 
to  introduce  a  new  decision  criteria,  as  the  Thiokol  engineers  did  on  the  eve  of  the 
Challenger  launch,  it  can  cause  a  loss  of  face  and  result  in  group  pressure  to  conform  to 
the  norms. 

The  formal  Challenger  investigations  cited  failures  in  communications  during  the 
Flight  Readiness  Review  (FRR)  process  to  elevate  the  problems  of  the  SRB  joints. 
However,  in  presenting  the  FRR  process,  Vaughan  offers  some  reasons  for  this  and 
relates  the  result  to  the  acceptance  of  risk  process  within  NASA.  The  FRR  process  was  a 
very  fonnal  process  that  progressed  through  increasingly  higher  levels  bringing  in  more 
and  more  aspects  of  the  Shuttle  program  at  each  level  and  raising  the  level  of  the 
approving  official  at  each  step.  There  are  a  couple  of  major  factors  that  relate  to  the 
ability  of  the  FRR  to  have  played  a  role  in  the  SRB  joint  issue.  First,  at  each  step  in  the 
process  the  content  was  by  necessity  reduced  in  order  to  keep  the  reviews  manageable. 
Each  level  became  more  problem  oriented  as  the  reviews  progressed  up  the  line.  As 
problems  were  deemed  solved  there  was  less  reason  to  pass  the  infonnation  along.  There 
were  rules  for  the  type  of  information  that  was  carried  forward  to  the  final  two  FRR 
levels.  One  of  these  rules  forms  the  second  major  factor.  That  rule  is  that  only  changes 
or  deviations  from  what  was  previously  understood  or  done  were  to  be  reported.  The 
reverse  of  this  was  also  true;  previously  disclosed  issues  that  had  not  changed  status  were 
not  reported.  This  was  known  as  the  “Delta  concept”  within  the  FRR  process.  This 
meant  that  once  the  SRB  joint  issue  was  raised  it  was  not  necessary  to  raise  it  again  as 
long  as  its  performance  was  consistent  with  earlier  behavior.  In  1984,  the  O-ring  erosion 
was  raised  to  the  highest  levels  of  the  NASA  FRR  process  due  to  a  change  in  the  way  that 
O-rings  were  to  be  tested  prior  to  the  next  flight.  At  this  FRR,  the  previous  erosion 
experience  base  was  presented.  The  recommendation  to  the  top  level  FRR  was  to  accept 
the  possibility  of  some  O-ring  erosion  due  to  hot  gas  impingement.  All  levels  had  been 
informed  of  the  problem,  the  rationale  for  accepting  risk,  and  the  fact  that  erosion  was 
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expected  on  future  flights.  The  Delta  approach  meant  that  unless  the  technical  basis  for 
what  had  been  presented  changed  there  was  no  need  to  present  the  erosion  issue  at  future 
FRRs. 

It  is  a  central  theme  in  the  Rogers  report  and  the  Congressional  investigation  that 
there  were  rule  violations  as  part  of  the  launch  decision  and  SRB  joint  technical 
reporting.  The  implication  of  these  rule  violations  is  that  they  failed  to  inform  the  higher- 
ups  about  problems,  and  if  the  information  had  flowed  up,  that  the  decisions  would  have 
been  different.  However,  according  to  Vaughan  based  on  her  investigation  of  the  policies 
in  place  at  the  time,  there  were  no  rule  violations.47  Her  contention  is  that  the  decisions 
were  within  the  norms  of  the  NASA  organization.  The  Level  I  and  II  FRRs  preceding  the 
Challenger  launch  had  no  mention  of  the  SRB  anomalies  that  conformed  to  the  Delta 
Concept.  After  the  Columbia  returned  just  prior  to  the  Challenger  launch,  additional 
erosion  was  found  on  the  joints,  however  it  was  within  the  experience  base  and  served  to 
further  affirm  redundancy  and  robustness  of  design. 

Vaughan  also  makes  some  other  points  concerning  the  culture  of  engineers  and 
how  it  may  have  contributed  to  the  accident.  One  aspect  is  that  within  engineering 
groups  the  viewpoint  often  is  “Change  is  bad.”48  This  viewpoint  comes  from  the 
uncertainties  of  a  new  design  and  the  unknown  evils  versus  those  that  are  known.  This 
played  a  role  in  not  wanting  to  redesign  the  shuttle  joint.  Another  aspect  has  to  do  with 
the  reliance  on  solid  data  in  making  engineering  decisions.  In  both  the  decision  on  the 
eve  of  the  launch  and  an  earlier  discussion  on  the  effects  of  cold,49  the  Thiokol  engineers 
proposed  a  correlation  between  cold  temperatures  and  O-ring  damage  but  were  unable 
positively  influence  the  decision  makers  due  to  a  lack  of  solid  data  or  concrete  influence. 
In  this  early  discussion,  there  was  only  a  weak  relationship  of  cold  to  damage  and  it  was 
observational  as  opposed  to  quantifiable.  When  combined  with  the  low  likelihood  of 
cold  temperatures  at  the  Cape,  the  effect  of  cold  was  dismissed. 

In  Trento’s  analysis  of  the  Challenger  accident,  he  reports  on  events  surrounding 

the  first  flight  of  the  Challenger  that  went  unreported  by  the  Rogers  Commission  as  they 
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were  unrelated  to  the  Challenger  accident,  but  they  are  quite  relevant  when  viewed  in  the 
context  of  the  Columbia  accident.  Trento  reports  that  on  the  first  flight,  “Tiles  were 
missing  from  the  aft  right  orbital  maneuvering  pod  of  the  shuttle.”50  The  heat  protection 
experts  became  worried  by  this  and  set  out  to  investigate  the  magnitude  of  the  problem. 
At  this  point,  the  shuttle  was  not  authorized  for  extravehicular  excursions.  As  result  of 
the  concern  the  Air  Force  offered  to  attempt  to  photograph  the  orbiter  with  powerful  new 
(and  at  the  time  secret)  ground  cameras.  However  the  results  were  not  detailed  enough  to 
make  a  judgment  on  the  status  of  the  tiles.  Next,  the  KH-1 1  spy  satellite  was  used  and 
pictures  of  sufficient  quality  to  assure  no  large  section  of  the  tiles  were  missing. 


D.  INVESTIGATION  OF  THE  COLUMBIA  ACCIDENT 
1.  Overview 

The  Columbia  Accident  Investigation  Board  (CAIB)  detennined: 

The  physical  cause  of  the  loss  of  Columbia  and  its  crew  was  a  breach  in 
the  Thermal  Protection  System  on  the  leading  edge  of  the  left  wing.  The 
breach  was  initiated  by  a  piece  of  insulating  foam  that  separated  from  the 
left  bipod  ramp  of  the  External  Tank  and  struck  the  wing  in  the  vicinity  of 
the  lower  half  of  Rein-forced  Carbon-Carbon  panel  8  at  81.9  seconds  after 
launch.  During  re-entry,  this  breach  in  the  Thermal  Protection  System 
allowed  superheated  air  to  penetrate  the  leading-edge  insulation  and 
progressively  melt  the  aluminum  structure  of  the  left  wing,  resulting  in  a 
weakening  of  the  structure  until  increasing  aerodynamic  forces  caused  loss 
of  control,  failure  of  the  wing,  and  breakup  of  the  Orbiter.51 

Throughout  the  report,  the  CAIB  had  many  findings  and  recommendations 
relating  to  both  the  physical  cause  of  the  accident  and  the  causal  factors  that  allowed  the 
errors  and  bad  decisions  to  be  made.  Of  the  twenty-nine  recommendations  made,  all  but 
six  of  them  were  directly  related  to  the  physical  cause  of  the  accident,  although  the 
majority  of  the  report  was  dedicated  to  discussion  of  these  causal  factors.  As  with  the 
Rogers  Commission,  the  CAIB  determined  that  substantial  changes  must  occur  within  the 
NASA  organization  and  culture  if  future  accidents  are  to  be  prevented.  The  following 
sections  will  discuss  the  casual  factors  of  the  Columbia  accident  that  were  discussed  in 
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the  Board’s  report.  The  relationship  to  the  causes  discussed  in  the  Challenger  section 
will  be  explored.  It  should  be  noted  that  the  reason  why  many  of  the  causes  discussed  in 
the  Challenger  section  were  also  included  in  the  Columbia  report  may  be  because  Diane 
Vaughan  was  a  researcher  assigned  to  the  CAIB  staff.  Further  analysis  of  the 
relationship  of  the  Challenger  and  Columbia  accidents  and  their  causal  factors  will  be 
discussed  in  the  analysis  section  of  this  report. 

2.  Contributing  Causes  of  the  Columbia  Accident 

Like  the  Rogers  Commission,  the  CAIB  placed  much  of  the  blame  for  the 
Columbia  accident  on  the  culture  that  exists  at  NASA.  “By  the  eve  of  the  Columbia 
accident,  institutional  practices  that  were  in  effect  at  the  time  of  the  Challenger  accident 
-  such  as  inadequate  concern  over  deviations  from  expected  performance,  a  silent  safety 
program,  and  schedule  pressure  -  had  returned  to  NASA.”52  It  is  important  to  understand 
how  this  culture  has  evolved  over  the  lifetime  of  the  NASA  organization.  NASA’s  early 
days  had  lofty  goals  set  by  Presidents,  and  they  were  provided  budgets  to  meet  these 
goals.  NASA  developed  a  can-do  attitude  and  had  great  successes  during  the  Apollo  era. 
However,  as  the  nations  priorities  shifted,  the  budgets  NASA  was  granted  did  not  match 
the  goals  they  were  given.  Fueled  by  their  early  successes,  NASA’s  belief  that  they  were 
the  only  organization  that  could  execute  the  human  space  flight  programs  led  them  to 
reject  many  of  the  criticisms  and  recommendations  that  resulted  from  the  various  panels 
and  reviews  of  their  organization,  including  the  Rogers  Commission.  However,  although 
the  culture  was  not  changing,  the  organization  was  changing. 

Feeling  pressure  from  budget  cuts  with  little  cuts  in  the  scope  of  responsibilities 
and  programs  they  were  expected  to  perform,  NASA  began  to  rely  more  on  outsourcing 
to  contractors.  This  organization  change  required  modifying  the  safety  oversight  and 
communication  necessary  to  have  programs  as  successful  as  the  Apollo  programs. 
Instead  of  concentrating  on  improving  the  safety  and  managerial  aspects  of  the  space 
program  as  recommended  by  various  commissions,  NASA  tried  to  do  more  with  less, 
adopting  the  motto  “Faster,  better,  cheaper.”  The  space  shuttle  program  has  had  huge 
budget  cuts,  while  the  shuttle  has  become  more  expensive  to  operate  and  is  critical  for  the 
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construction  of  the  International  Space  Station  (ISS).  Although  NASA’s  overall  budget 
decreased  by  thirteen  percent,  the  shuttle  budget  decreased  by  approximately  forty 
percent  over  the  last  decade.53 

Between  1991  and  1994,  Shuttle  operating  costs  were  cut  by  twenty-one 
percent.54  In  1996,  the  Space  Shuttle  Program  management  was  moved  back  to  Johnson 
Space  Center,  as  it  was  before  the  Challenger  accident.  The  Space  Flight  Operations 
contract  was  signed,  and  United  Space  Alliance  took  over  61  percent  of  outsourced 
Shuttle  operations  contracts,  including  safety  and  various  inspections.55  The  savings 
expected  from  these  contracts  have  not  been  realized;  however,  the  impacts  to  the 
downsized  civil  service  workforce  and  safety  programs  have  increased  the  risk  of 
operating  the  Shuttle.  NASA  attempted  to  change  some  aspects  of  their  organization  to 
better  manage  this  new  structure,  but  the  budget  cuts  did  not  allow  for  proper  oversight, 
and  the  contractor  was  relied  upon  often  without  being  checked  by  government 
representatives.  In  addition,  the  contract  had  cost  reduction  incentives  in  an  attempt  to 
force  the  contractor  to  be  more  efficient,  but  these  savings  were  often  achieved  at  the 
expense  of  safety  improvements,  and  did  not  allow  for  proper  study  and  correction  of 
anomalies  that  would  occur  on  virtually  every  mission. 

Only  three  years  after  the  Challenger  disaster,  NASA  started  reverting  to  the 
ways  that  the  Rogers  Commission  attempted  to  improve.  With  the  leadership  back  in 
Johnson  and  out  of  the  Washington  headquarters,  and  the  contractors  having  more 
responsibility,  there  were  many  inside  NASA  who  were  concerned  about  this  new 
organization. 

The  organizational  was  further  complicated  by  the  separation  of  the  orbiter  from 
the  rest  of  the  system.  The  integration  office  was  not  responsible  for  the  orbiter,  and  as  a 
result,  labeled  foam  loss  as  a  lower-level  problem  than  it  should  have  been.  “The 
Integration  office  did  not  have  continuous  responsibility  to  integrate  responses  to  bipod 
foam  shedding  from  various  offices.  Sometimes  the  Orbiter  Office  had  responsibility, 

sometimes  the  External  Tank  Office  at  Marshall  Space  Flight  Center  had  responsibility, 
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and  sometime  the  bipod  shedding  did  not  result  in  any  designation  of  an  In-Flight 
Anomaly.  Integration  did  not  occur.”56  To  correct  this,  CAIB  recommendation  R7.5-3 
would  make  the  integration  office  responsible  for  the  entire  system,  including  the  orbiter. 

In  2001,  Sean  O’Keefe  became  Administrator  of  NASA,  and  he  moved  Space 
Shuttle  Program  management  back  to  Headquarters  in  Washington,  DC.  The  budgets  for 
the  Space  Shuttle  began  to  increase  around  this  time,  as  NASA  and  Congress  realized 
that  a  Shuttle  replacement  was  not  on  the  horizon,  and  the  Shuttle  infrastructure  which 
was  so  neglected  in  the  1990’s  would  be  operating  possibly  through  2020,  and  would  be 
relied  upon  to  build  and  maintain  the  ISS.  “A  decade  of  downsizing  and  budget 
tightening  has  left  NASA  exploring  the  universe  with  a  less  experienced  staff  and  older 
equipment.”57  Although  NASA  had  various  proposals  for  a  new  space  vehicle,  none  had 
ever  gained  enough  acceptance  to  be  funded  to  necessary  levels  to  make  them  a  reality. 
These  initiatives  included  the  National  Aerospace  Plane  in  the  late  1980’s,  VentureStar  in 
the  1990’s,  and  the  Space  Launch  Initiative  from  2000  to  2002.  Although  billions  of 
dollars  had  been  spent  exploring  these  options,  none  seemed  feasible  replacements  to  the 
Shuttle.  The  Orbital  Space  Plane  is  a  more  recent  initiative  intended  only  to  complement 
the  shuttle  by  carrying  personnel  to  the  ISS.  Although  nothing  substantial  came  from 
these  projects,  they  did  take  money  from  the  Space  Shuttle,  since  Shuttle  upgrades  were 
delayed  in  anticipation  of  a  replacement  soon  being  developed.  With  the  Shuttle  life 
expected  to  extend  well  into  2020,  some  money  was  finally  invested  in  long  needed 
upgrades,  however  it  may  have  been  too  little  too  late. 

With  no  replacement  on  the  horizon,  the  space  shuttle  was  experiencing  flight 
schedule  pressures,  specifically  driven  by  construction  of  the  International  Space  Station. 
Although  the  Columbia  mission  was  not  directly  related  to  the  ISS,  the  timing  of  the 
launch  could  not  be  delayed  because  the  Columbia  was  scheduled  to  be  modified  to 
support  future  ISS  missions.  These  modifications  would  be  done  immediately  after  the 
STS- 107  mission.  Any  delay  in  STS- 107  would  have  repercussions  for  future  ISS 
missions.  Schedule  pressures  limit  the  time  that  can  be  spent  to  analyze  problems  and 
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find  solutions,  and  result  in  increased  risk  for  each  flight.  The  CAIB  recommendation 
R6.2-1  instructs  NASA  to  “Adopt  and  maintain  a  Shuttle  flight  schedule  that  is  consistent 
with  available  resources.”58 

3.  Managing  the  Risk  of  Foam  Loss 

Like  the  days  leading  up  to  the  final  launch  of  the  Challenger,  the  manner  in 
which  NASA  made  decisions  and  managed  the  risks  in  the  Shuttle  program  was  likely  the 
most  important  factor  leading  to  the  loss  of  the  Columbia.  The  STS- 107  mission  was  not 
the  first  flight  to  lose  foam  from  the  main  fuel  tank.  Visual  evidence  of  foam  loss  can  be 
seen  on  over  ten  percent  of  Shuttle  flights,  although  it  is  believed  that  the  majority  of 
missions  had  some  amount  of  foam  loss  during  launch.  In  addition,  every  launch  has 
sustained  some  amount  of  damage  due  to  debris  striking  the  orbiter,  and  has  had  to  been 
repaired  as  part  of  the  turnaround  process.  NASA  was  not  able  to  leam  from  the  studies 
done  after  the  Challenger  accident  that  discuss  the  agency’s  tendency  to  accept  risk  as 
well  as  deviances  from  specifications  and  expected  outcomes  based  on  previous 
successes,  regardless  of  the  predicted  probability  of  these  results. 

With  the  frequencies  at  which  foam  was  lost,  and  debris  struck  the  orbiter 
throughout  the  history  of  the  Shuttle  program,  how  is  it  possible  that  NASA  could  ignore 
this  known  problem  for  all  those  years?  This  happed  even  while  NASA  was  claiming  to 
have  improved  their  safety  program  after  the  Challenger,  and  while  an  outstanding  action 
concerning  significant  foam  loss  from  two  missions  before  the  Columbia  launch  was  left 
open,  without  resolution,  while  NASA  continued  to  launch  shuttles.  One  of  the  original 
requirements  for  the  Space  Shuttle  System  was  that  there  should  be  no  shedding  of  ice  or 
other  debris  during  pre-launch  and  flight.  As  a  result  of  this  requirement,  the  orbiter  was 
allowed  to  be  designed  with  a  fragile  thennal  protection  system,  with  minimal 
requirements  to  withstand  any  debris  strikes.  With  this  in  mind,  NASA  engineers  were 
very  concerned  when  after  the  first  shuttle  flight;  the  Columbia  needed  over  three 
hundred  tiles  replaced  because  of  the  debris  it  encountered  during  launch.  Bipod  foam 
loss  was  first  observed  in  1983  on  the  Challenger.  This  was  flagged  as  an  anomaly  that 
needed  to  be  resolved  before  the  shuttle  could  be  launched  again.  This  anomaly  was 
closed  based  on  the  repairs  to  the  Orbiter’ s  thermal  protection  system,  but  the  real 
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problem,  the  shedding  of  foam  insulation  during  launch,  was  never  addressed.  Other 
foam  loss  discovered  by  the  CAIB  was  never  addressed  because  NASA’s  review  of  the 
film  was  not  adequate  to  discover  this  was  happening  and  report  it  as  a  flight  anomaly. 
Ironically,  the  problem  of  foam  loss  and  Orbiter  damage  was  brought  up  during  the 
Challenger  accident  investigation  by  the  Rogers  Commission59,  but  still  no  action  was 
taken  to  modify  the  foam  to  eliminate  shedding,  or  to  improve  the  Orbiter’ s  resistance  to 
this  damage.  Additionally,  post -Challenger  analyses  indicated  that  one  of  the  concerns 
that  were  expressed  about  the  cold  weather  faced  by  Challenger  was  the  possibility  of  ice 
shedding  from  the  external  tank.  An  Ice  Team  was  sent  to  make  certain  that  “frost  on  the 
tank  was  not  so  thick  that  chunks  that  fell  during  the  blasting  roar  of  lift-off  would 
damage  the  Orbiter’s  fragile  tiles  on  impact.”60  This  tends  to  indicate  that  the  technical 
community  would  take  measures  to  avoid  debris  shedding  due  to  ice,  but  that  they  had 
come  to  accept  the  foam  shedding  and  any  risk  that  resulted  from  it. 

NASA  did  not  act  on  the  foam  problem  because  they  treated  it  as  only  a 
maintenance  issue,  adding  time  to  repair  Orbiters  before  they  could  be  launched  again. 
“With  each  successful  landing,  it  appears  that  NASA  engineers  and  managers 
increasingly  regarded  the  foam-shedding  as  inevitable,  and  as  either  unlikely  to 
jeopardize  safety  or  simply  an  acceptable  risk.  The  distinction  between  foam  loss  and 
debris  events  also  appears  to  have  become  blurred.  NASA  and  contractor  personnel 
came  to  view  foam  strikes  not  as  a  safety  of  flight  issue,  but  rather  a  simple  maintenance, 
or  “turnaround”  issue.”61  Foam  loss  was  again  flagged  as  a  problem  after  STS  1 12,  two 
missions  before  the  Columbia's  final  launch.  An  Integrated  Hazard  Report  (IHR)  was 
generated  because  of  the  significant  size  and  damage  caused  during  this  flight.  NASA 
continued  flying  the  shuttles  despite  this  outstanding  hazard  report. 

NASA  seems  to  equate  previous  success  with  low  risk  or  robustness  of  design. 
The  foam  loss  IHR  was  not  considered  significant  enough  to  delay  Columbia's  STS-107 
mission  because  STS- 113  had  already  been  successfully  flown  prior  to  determining  the 
root  cause  of  the  foam  loss  and  recommending  corrective  action,  as  required  to  close  the 
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hazard  report.  During  the  STS- 113  Flight  Readiness  Review,  the  rational  for  launching 
without  resolving  the  foam  IHR  was  also  based  on  past  performance;  foam  loss  was 
never  before  considered  a  Safety  of  Flight  issue,  and  no  orbiter  had  ever  been  damaged 
enough  to  create  a  safety  of  flight  issue.  Given  this  past  success,  it  was  concluded  that 
the  shuttle  was  “safe  to  fly  with  no  new  concerns  (and  no  new  risk).”62  In  an  example  of 
continued  acceptance  of  risk  and  normalization  of  deviance  that  was  cited  as  crucial  in 
the  Challenger  accident,  “With  no  engineering  analysis,  Shuttle  managers  used  past 
success  as  justification  for  future  flights.”63  The  open  IHR  was  of  such  little  significance 
during  the  preparations  for  Columbia' s  flight,  it  was  not  even  mentioned  in  the  Flight 
Readiness  Review  documentation.  If  having  a  better  review  of  open  issues  did  not 
convince  management  there  was  sufficient  reason  to  prevent  the  launch  of  STS- 107,  it 
might  have  at  least  raised  the  awareness  of  the  issue  and  resulted  in  a  better  effort  to 
determine  the  possible  damage  to  the  orbiter  after  the  foam  loss  was  discovered  after 
launch. 

As  previously  discussed  within  the  Challenger  analysis,  NASA  again  displayed  a 
tendency  to  practice  “normalization  of  deviance,”  or  acceptance  or  risk  based  on  past 
successes.  More  specifically,  the  management  of  the  risk  associated  with  foam  loss  was 
pointed  out  during  the  Rogers  Commission  investigation  by  Shuttle  Program  Manager 
Arnold  Aldrich.64  NASA’s  tendency  of  accepting  risk  based  on  success  was  also 
discussed  in  a  report  in  March  of  2000  by  a  Shuttle  Independent  Assessment  Team 
(SAIT)  which  was  set  up  to  review  NASA’s  recent  “close  calls.”  “The  SIAT  was 
concerned  with  ‘success-engendered’  safety  optimism  . . .  The  SSP  must  rigorously  guard 
against  the  tendency  to  accept  risk  solely  because  of  prior  success.”65  Not  only  does 
NASA  practice  this  normalization  of  deviance  regularly,  but  this  has  been  repeatedly 
pointed  out  to  them,  and  they  have  not  changed  their  ways.  Given  this,  one  starts  to 
question  if  NASA  is  really  an  organization  that  is  capable  of  changing  their  culture. 
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4.  Organizational  and  Cultural  Causes 

When  causal  chains  are  limited  to  technical  flaws  and  individual  failures, 
the  ensuing  responses  aimed  at  preventing  a  similar  event  in  the  future  are 
equally  limited:  they  aim  to  fix  the  technical  problem  and  replace  or 
retrain  the  individual  responsible.  Such  corrections  lead  to  a  misguided 
and  potentially  disastrous  belief  that  the  underlying  problem  has  been 
solved.66 

The  Rogers  Commission  recognized  this,  and  included  the  many  organizational  changes 
recommended  in  the  previous  discussions.  However,  when  the  CAIB  started  their  review 
of  NASA’s  organization,  they  found  it  had  not  changed  substantially  from  what  existed  at 
the  time  of  the  Challenger  accident. 

The  Columbia  accident  resulted  from  a  series  of  decisions  made  by  NASA 
management,  similar  to  the  decisions  that  led  up  to  Challenger' s  final  flight.  The  foam 
loss  and  impact  with  the  orbiter  was  noticed  by  the  Intercenter  Photo  Working  Group  the 
day  after  Columbia  was  launched.  However,  the  extent  of  any  damage  resulting  from  this 
event  could  not  be  determined  from  the  available  pictures.  A  group  was  formed  to 
investigate  the  potential  implications  of  this  strike.  The  group  became  known  as  the 
Debris  Assessment  Team,  instead  of  a  true  “Tiger  Team”  which  according  to  NASA 
procedures,  should  have  been  established  and  given  clear  roles  and  responsibilities.  This 
was  one  of  the  many  times  that  NASA  failed  to  follow  their  own  established  procedures, 
creating  additional  confusion  with  respect  to  communication  lines  and  reporting 
requirements.  Without  having  the  charter  of  a  true  tiger  team,  the  debris  assessment  team 
did  not  have  the  guidance  or  the  authority  to  effectively  complete  their  analysis,  and  did 
not  have  the  correct  forum  in  which  to  present  their  findings.  Instead  of  waiting  for  the 
results  from  the  Debris  Assessment  Team,  who  was  the  right  group  to  assemble  the 
necessary  data  to  make  an  informed  engineering  judgment  as  to  the  effect  the  foam  strike 
would  have  had  on  the  orbiter,  NASA  management  relied  on  early,  incomplete 
assessments  from  area  experts  and  had  already  begun  to  believe  that  it  was  unlikely  that 
the  debris  strike  could  cause  any  significant  damage  to  the  orbiter.  Given  this  incorrect 
assessment,  and  previous  successful  flights  with  debris  strikes,  it  was  easy  for 
management  to  give  the  debris  strike  analysis  a  low  priority  and  low  risk,  and  also  deny 
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any  requests  for  imaging  to  further  assess  damage  from  the  strike.  The  Intercenter  Photo 
Working  Group  was  the  first  to  request  that  satellite  imaging  be  used  to  get  a  view  of  the 
orbiter  to  help  assess  any  damage  that  may  have  occurred.  This  request  was  not  acted 
upon,  even  though  the  use  of  satellite  imagery  had  been  demonstrated  as  successful  in 
photographing  thermal  tiles  for  damage  going  all  the  way  back  to  the  first  Challenger 
flight.67 

After  further  analysis  of  the  foam  loss,  the  size  of  the  piece  that  separated  from 
the  tank  and  impacted  the  orbiter  was  able  to  be  estimated.  This  was  used  as  input  to  a 
computer  program  called  Crater,  which  predicts  damage  to  the  thermal  protection  system. 
Although  the  size  of  the  debris  was  larger  than  those  which  the  Crater  algorithms  had 
been  developed  to  evaluate,  the  tool  was  the  best  prediction  model  available  and  was 
used  for  this  analysis.  The  Crater  analysis  predicted  that  the  Thennal  Protection  System 
might  have  been  damaged  to  a  point  where  the  aluminum  frame  would  be  exposed  to  the 
severe  reentry  heat.  Although  this  should  have  alerted  NASA  management  that  this  was 
a  potentially  catastrophic  problem,  it  was  dismissed  because  Crater  was  thought  to  be  a 
very  conservative  tool,  the  exact  location  of  the  debris  strike  was  not  known,  and  experts 
had  convinced  the  management  that  there  would  be  no  concern  of  breach  of  the  thermal 
protection  system.  It  was  likely  that  the  strike  could  have  stuck  a  location  that  would 
survive  such  an  impact.  Management  continued  to  believe  that  the  impact  was  similar  to 
what  was  experienced  in  previous  missions,  and  was  not  expected  to  be  an  issue  to  be 
concerned  with  since  there  was  no  problems  with  these  earlier  events.  To  support  this 
conclusion,  management  requested  more  research  into  “what  rationale  had  been  used  to 
fly  after  External  Tank  foam  losses  on  STS-87  and  STS-112.”68  This  would  not  only 
support  the  premature  conclusion  they  were  looking  for,  but  would  assist  in  the  allowing 
future  flights  to  be  launched  after  this  event.  Management  also  believed  that  increasing 
the  estimated  risk  of  potential  impacts  from  foam  loss  would  have  contradicted  previous 
decisions  made  by  the  very  same  group.  It  would  mean  that  management  would  have  to 
admit  that  they  might  have  been  wrong  or  underestimated  the  foam  loss  problem  in  the 
past. 
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Continuing  to  work  without  a  strict  charter  or  empowerment  by  the  NASA 
hierarchy,  the  Debris  Assessment  Team  continued  to  review  the  event,  and  determined 
that  in  order  to  make  an  informed  decision  as  to  the  potential  damage  from  the  foam,  any 
in-orbit  imagery  they  could  obtain  would  greatly  assist  in  this  analysis.  Not  being  very 
familiar  with  Department  of  Defense  (DoD)  imaging  capabilities,  and  not  having  a  clear 
communication  path  to  upper  management  or  departments  who  may  have  been  more 
familiar  with  such  requests,  the  attempts  by  the  team  to  obtain  such  imaging  were 
confused  and  eventually  denied  by  NASA  management.  The  team  made  one  final 
attempt  to  obtain  the  requested  imaging  through  the  engineering  directorate  instead  of  the 
usual  mission  chain  of  command.  Again,  because  of  the  confusion  in  the  communication 
protocols  and  chains  of  command  responsible  for  this  group,  the  request  was  thought  to 
be  more  of  an  engineering  desire  than  a  mission  need,  and  it  was  again  denied. 
Management  denied  the  request  because  there  was  not  a  “requirement”  to  get  the 
imagery,  and  they  could  not  immediately  determine  from  where  the  request  originated. 
Had  the  Debris  Assessment  Team  had  more  of  an  official  charter  and  chain  of  command, 
the  origins  of  the  imagery  request  would  have  been  better  understood  and  may  have  been 
fulfilled.  Another  reason  given  by  management  as  to  why  the  request  was  denied  was  a 
belief  that  nothing  could  be  done  if  there  the  imagery  did  detect  that  something  was 
noticeably  wrong  with  the  orbiter.  Since  the  Debris  Assessment  Team  did  not  understand 
that  the  management’s  denial  to  image  the  orbiter  was  not  a  direct  response  to  their 
request,  they  assumed  it  was  and  attempted  to  detennine  if  their  request  was  a  mandatory 
requirement,  without  truly  understanding  what  that  meant.  “Analysts  on  the  Debris 
Assessment  Team  were  in  the  unenviable  position  of  wanting  images  to  more  accurately 
assess  damage  while  simultaneously  needing  to  prove  to  Program  managers,  as  a  result  of 
their  assessment,  that  there  was  a  need  for  images  in  the  first  place.”69 

Four  factors  lead  to  NASA’s  belief  that  the  Columbia  was  not  in  danger  from  the 
foam  impact  seen  in  the  launch  photographs: 

1 .  the  Debris  Assessment  Team  was  not  properly  empowered  to  perform  the 
analysis  task,  and  detrimental  communication  problems  resulted, 
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2.  the  analysis  of  the  strike  was  based  on  the  results  of  a  tool  not  fully 
appropriate  for  this  application,  and  its  results  were  not  believed, 

3.  Shuttle  management  had  a  pre-detennined  opinion  that  foam  strikes  were  low 
risk,  mostly  based  on  past  performance,  and 

4.  the  safety  representatives  did  not  perform  an  independent  analysis,  and  did  not 
question  the  assumptions  of  the  analysis,  or  notice  that  the  actions  of 
management  was  requiring  the  engineers  to  demonstrate  that  the  system  was 
unsafe,  instead  of  requiring  them  to  prove  it  was  safe,  and  giving  them  all  the 
tools  to  assist  them  in  this  assessment. 

The  CAIB  made  some  interesting  observations  concerning  the  communication 
problems  between  management  and  the  engineering  communities.  “Managers  tendency 
to  accept  opinions  that  agree  with  their  own  dams  the  flow  of  effective 
communications.”70  Managers  did  not  seem  to  understand  that  as  leaders  they  had  a 
corresponding  and  perhaps  greater  obligation  to  create  viable  routes  for  the  engineering 
community  to  express  their  views  and  receive  information.  This  barrier  to 
communications  not  only  blocked  the  flow  of  infonnation  to  mangers,  but  it  also 
prevented  the  down  stream  flow  of  information  from  managers  to  engineers,  leaving 
Debris  Assessment  Team  members  no  basis  for  understanding  the  reasoning  behind 
Mission  Management  Team  decisions.”71  The  importance  of  communication  is  often 
assumed  to  be  understood,  and  management  will  show  how  under  nonnal  circumstances 
they  effectively  communicate  with  their  people.  However,  when  there  are  critical 
decisions  to  be  made  in  a  timely  manner,  management  often  attempts  to  quickly  gather 
limited  infonnation  and  make  a  decision  without  much  explanation.  This  may  possibly 
be  the  most  important  time  to  communicate  the  rational  behind  critical  decisions,  but 
partially  because  of  time  constraints  and  so  management  can  move  on  to  other  important 
issues,  it  is  seldom  done.  Many  managers  do  not  believe  that  they  need  to  answer  to  the 
people  who  support  them,  but  contrary  to  their  belief,  these  people  are  often  more 
informed  than  they  are,  and  have  valuable  insights  that  are  often  overlooked  or  simplified 
when  infonnation  makes  it  to  a  management  level.  A  manager  asking  their  technical 
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community  to  critique  their  decision  logic  may  be  a  very  enlightening  experience,  where 
the  manager  can  leam  much,  and  also  the  technical  community  will  also  have  a  forum  to 
express  their  related  knowledge  and  any  concerns.  One  could  even  envision  an  electronic 
bulletin  board  system  where  various  levels  of  responses  could  be  made  to  decisions,  and 
when  the  assumptions  used  to  make  a  critical  decision  are  incorrect,  this  could  be  quickly 
corrected  and  the  decision  re-evaluated  using  better  information.  The  biggest  mistake  of 
the  Missions  Management  was  that  it  did  not  seek  the  infonnation  necessary  to  make  the 
decisions  they  made.  They  did  not  determine  who  was  seeking  the  imaging  requests  and 
more  importantly  why,  they  did  not  require  that  a  better  analysis  tool  be  used  to  assess 
the  damage,  they  did  not  actively  engage  the  Debris  Assessment  Team  and  listen  to  their 
concerns,  and  they  did  not  look  for  options  as  to  what  could  be  done  to  mitigate  risk  of 
bum-up  on  reentry  if  there  was  damage  to  the  orbiter. 

The  lack  of  an  effective  communication  structure  is  damaging  to  any 
organization,  but  when  lives  are  at  stake  like  at  NASA,  it  can  be  truly  detrimental. 
Information  must  be  available  to  the  decision  makers  in  the  organization,  as  well  as  to  the 
people  who  are  affected  by  those  decisions.  A  way  to  pass  additional  information  to 
someone  who  has  made  an  incorrect  decision  or  one  that  was  based  on  misguided 
assumptions  is  also  needed.  An  effective  communication  structure  was  not  present  in 
NASA  at  the  time  of  the  Columbia  accident.  “Program  leaders  spent  at  least  as  much 
time  making  sure  hierarchical  rules  and  processes  were  followed  as  they  did  trying  to 
establish  why  anyone  would  want  a  picture  of  the  Orbiter.”72  Had  the  Mission  managers 
better  understood  this  request,  there  might  have  been  a  chance  of  doing  something  about 
the  damage  to  the  orbiter.  One  of  the  problems  with  the  way  information  is  passed 
through  the  NASA  chain  of  command  is  the  extensive  use  of  viewgraphs.  Simplifying 
information  to  fit  it  on  a  viewgraph  eliminates  many  details  that  may  be  critical  to  the 
decision  being  made,  and  can  diminish  the  importance  of  critical  problems.  In  addition, 
management  were  not  accustomed  to  seek  the  minority  opinion  in  order  to  better 
understand  the  options  and  other  views  which  could  impact  the  decision  being  made. 
Seeking  this  alternative  infonnation  also  fosters  a  culture  where  it  is  acceptable  to  have 
an  opinion  that  differs  from  the  majority,  or  the  way  things  were  done  in  the  past.  If 
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Missions  management  prompted  a  debate  over  whether  the  shuttle  was  safe,  or  if  it  would 
be  useful  to  have  the  pictures  of  Columbia,  or  what  could  be  done  if  the  orbiter  was 
damaged,  the  outcome  of  the  Columbia  may  have  been  more  like  Apollo  13  instead  of 
Challenger . 

The  CAIB  recommendation  6.3-1  directly  relates  to  the  communication  problems 
between  contractors,  NASA  engineers,  and  management.  A  training  program  should  be 
set  up  for  the  Mission  Management  Team  to  face  safety  contingencies  involving  potential 
loss  of  the  Shuttle  or  crew,  and  “assemble  and  interact  with  support  organizations  across 
NASA/Contractor  lines  and  in  various  locations.”73 

5.  NASA’s  Safety  Program 

NASA  claimed  to  have  a  safety  program  that  was  actively  involved,  risk-averse, 
and  empowered  to  stop  any  operations  if  an  employee  felt  there  was  a  safety  problem. 
Contrary  to  this  internal  belief,  the  CAIB  found  the  safety  program  was  not  acting  as 
NASA  described  and  presented  to  the  CAIB.  The  safety  office  was  still  reliant  on 
funding  from  the  programs  they  supported,  instead  of  being  truly  independent  as 
recommended  by  the  Rogers  Commissions.  The  process  that  the  safety  office  was  forced 
to  operate  under  effectively  neutered  their  power  to  independently  monitor  and  effect  the 
shuttle  operations.  “NASA’s  safety  culture  has  become  reactive,  complacent,  and 
dominated  by  unjustified  optimism.  Overtime,  slowly  and  unintentionally,  independent 
checks  and  balances  intended  to  increase  safety  have  been  eroded  in  favor  of  detailed 
processes  that  produce  massive  amounts  of  data  and  unwarranted  consensus,  but  little 
effective  communication.”74 
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Figure  1  -  Safety  Office  within  NASA  Organization  at  Time  of  the  Columbia 

Accident75 

The  safety  organization  within  NASA  was  not  independent,  and  there  were  often 
people  who  were  responsible  for  multiple  roles  within  the  organization  that  had 
conflicting  interests.  The  safety  office  was  not  organized  in  a  way  that  would  provide  for 
one  single  person  to  be  fully  responsible  for  Shuttle  mission’s  safety,  and  to  provide  an 
integrated  view  of  the  safety  of  the  overall  program  (see  Figure  1).  In  addition  to  being 
organizationally  linked  to  the  shuttle  missions,  the  safety  office  is  funded  by  the 
programs  they  support.  Thus,  a  program  only  gets  as  much  safety  oversight  as  they  have 
money  for,  and  if  the  budget  gets  cut,  the  safety  function  is  likely  to  take  as  much  of  a  cut 
as  any  other  part  of  the  program.  In  addition,  since  the  program  money  is  paying  for  their 
safety  review,  the  safety  efforts  will  be  further  influenced  by  schedule  pressures,  since 
not  meeting  schedule  will  eventually  affect  funding  levels,  or  risk  cancellation  of  the 
program.  Since  the  funding  for  safety  was  constantly  being  reduced  through  NASA’s 
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various  reorganizations,  independent  analysis  by  the  safety  group  was  often  not 
completed,  and  they  had  to  rely  on  the  technical  analysis  done  by  other  engineering 
groups  working  on  the  program.  The  CAIB  recommendation  R7.5-2  directly  addresses 
the  safety  office’s  authority  and  budgeting;  stating  that  “NASA  Headquarters  Office  of 
Safety  and  Mission  Assurance  should  have  direct  line  authority  over  the  entire  Space 
Shuttle  Program  safety  organization  and  should  be  independently  resourced.”76 

The  Shuttle  program  used  various  databases  to  track  problems.  These  databases 
were  separate,  and  were  not  easily  queried  to  get  information  worthy  of  assisting  in  any 
decision  making  process.  The  databases  tracking  critical  items,  waivers,  and  hazard 
reports  could  have  helped  the  safety  office  better  understand  the  risk  associated  with 
shuttle  missions  or  other  problems,  but  their  complexity  prohibited  their  use  as  a  risk 
analysis  tool.  Had  these  tools  been  better  integrated  or  more  accessible,  the  safety 
reviewers  might  have  been  more  likely  to  press  management  to  defend  their  decision  to 
go  forward  with  the  STS- 113  and  Columbia  missions,  even  though  there  was  an 
outstanding  issue  relating  to  foam  loss  from  STS- 112  which  had  not  been  answered. 
They  might  also  have  been  more  likely  to  detennine  the  true  flight  risk  based  on  a 
historical  tracking  of  various  anomalies  and  items  that  were  not  meeting  the  original 
design  requirement.  As  additional  critical  requirements  were  waived  based  on  past 
performance,  a  better  trend  analysis  of  the  anomaly  database  would  have  helped  to 
compile  the  continuing  trend  of  assuming  more  risk  as  the  program  progressed.  The 
CAIB  made  the  lengthy  recommendation  R7.5-1  to  “Establish  an  independent  Technical 
Engineering  Authority  that  is  responsible  for  technical  requirements  and  all  waivers  to 
them,  and  will  build  a  disciplined,  systematic  approach  to  identifying,  analyzing,  and 
controlling  hazards  throughout  the  life  cycle  of  the  Shuttle  System.”77  The 
recommendation  goes  on  to  discuss  the  tasks  the  technical  engineering  authority  will 
perform,  which  include  being  the  sole  waiver-granting  authority,  conducting  trend  and 
risk  analysis  and  their  reporting  systems,  verily  launch  readiness,  and  approve  the  re¬ 
certification  program.  Further,  the  CAIB  recommendation  R9.1-1  requires  NASA  to 


76  Columbia  Accident  Investigation  Board,  p.  193. 

77  Columbia  Accident  Investigation  Board,  p.  193. 
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report  to  Congress  the  status  of  the  activities  required  to  prepare  a  plan  and  to  implement 
this  new  authority,  as  well  as  the  independent  safety  office  and  reorganized  integration 
office. 

The  safety  representatives  must  also  have  input  and  insight  into  all  critical 
decisions,  and  they  should  always  ensure  that  it  must  be  proven  that  the  mission  is  safe, 
not  the  other  way  around  as  was  the  case  for  both  the  Columbia  and  the  Challenger. 

Problems  with  NASA’s  safety  organization  were  pointed  out  in  various  reviews. 
Congress  mandated  that  NASA  create  separate  safety  and  reliability  offices  after  the  1967 
fire  aboard  the  Apollo  1  test  capsule,  which  resulted  in  the  loss  of  three  astronauts, 
including  Virgil  I.  “Gus”  Grissom,  .  However,  these  offices  were  not  independent 
because  their  funding  was  still  linked  to  the  programs  they  supported.  After  the 
Challenger  accident  in  1986,  the  Rogers  Commission  noted  that  NASA  did  not  have  an 
independent  safety  program.  The  Associate  Administrator  heading  the  new  Safety  office 
created  in  response  to  this  recommendation  was  not  truly  independent,  because  the  safety 
activities  were  still  funded  by  the  programs  they  supported.  The  safety  office’s  lack  of 
independence  was  again  pointed  out  by  a  Government  Accountability  Office  (GAO) 
report  in  1990,  where  it  was  recommended  implementing  centralized  funding  for  safety. 
Again  in  1999,  the  Shuttle  Independent  Assessment  Team  (SIAT)  and  the  Integrated 
Action  Team  established  to  act  on  the  recommendations  of  that  team,  both  found  that  the 
safety  culture  at  NASA  was  being  eroded,  increasingly  so  because  of  the  new  contract 
structure  recently  adopted  and  the  better,  faster,  cheaper  philosophy.  “The  Shuttle 
Independent  Assessment  Team  and  NASA  Integrated  Action  Team  findings  mirror  those 
presented  by  the  Rogers  Commission.  The  same  communication  problems  persisted  in 
the  Space  Shuttle  Program  at  the  time  of  the  Columbia  accident.”78  The  Space  Shuttle 
Competitive  Source  Task  Force  in  2002  again  pointed  out  this  issue  stating  that  in 
addition  to  the  safety  office  not  being  independent,  it  does  not  have  the  authority  to  halt  a 
mission  if  they  feel  there  is  a  safety  concern.  The  safety  has  always  really  been  left  up  to 
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the  programs  to  determine  how  much  safety  they  needed,  or  could  afford,  and  this  was 
not  changed  despite  all  the  warnings  from  outside  agencies  warning  that  this  was  a 
problem  throughout  NASA’s  history. 

As  Senator  Ernest  “Fritz”  Hollings  (D-S.C.)  remarked  during  a  Senate  Commerce 
Committee  hearing  on  the  results  of  the  CAIB’s  report  on  the  Columbia  accident, 
“There’s  no  education  in  the  second  kick  of  a  mule.  I’m  hearing  the  same  things  I 
listened  to  seventeen  years  ago.”  79 


79  B.  Berger,  "Lawmakers  Press  O’Keefe  For  Cost  Figures.”  3  September  2003.  Space  News  Staff 
Writer,  [http://www.space.com/news/nasa_hearing_030903.html],  last  accessed  December  2003.  Senator 
Flollings  directed  his  remarks  to  NASA  Administrator  Sean  O’Keefe,  and  ADM  Flarold  Gehman  (USN, 
ret),  head  of  the  Columbia  Accident  Investigation  Board,  during  their  testimony  to  the  Senate  Commerce, 
Science,  and  Transportation  Committee. 


44 


IV.  ANALYSIS  OF  FINDINGS 


A.  QUESTION  ONE 

After  reviewing  the  two  investigative  reports  produced  after  the  two  space  shuttle 
accidents,  the  analysis  obviously  starts  by  making  comparisons  between  the  two, 
especially  in  their  final  recommendations  (listed  in  their  entirety  in  Appendix  A). 
Specifically,  we  pose  the  following  questions: 

What  similarities  and  differences  exist  when  comparing  the  recommendations 
made  by  both  commissions?  Are  there  any  recommendations  from  the  Challenger 
investigation  that  if  properly  implemented,  could  have  affected  the  issues  leading  to  the 
Columbia  accident?  Are  there  any  recommendations  from  the  CAIB  that  could  have 
been  identified  by  the  Challenger  investigation?  For  any  recommendations  that  were 
made  by  both  commissions,  is  it  expected  that  the  post  Columbia  NASA  can  implement 
the  recommendation  more  effectively? 

In  many  ways,  the  two  shuttle  accidents  resulted  from  the  same  failures  in  the 
NASA  organization.  The  recommendations  concerning  the  NASA  organization  and 
culture  made  by  the  CAIB  were  very  similar  to  the  recommendation  made  eleven  years 
previously  by  the  Rogers  Commission.  Specifically,  both  included  recommendations 
dealing  with  flight  schedule  pressures,  the  management  structure,  and  the  safety  program. 
This  point  was  not  missed  by  those  familiar  with  both  investigations,  and  the 
congressional  comities  who  reviewed  their  work. 

1.  Flight  Rate 

The  Rogers  Commission  Recommendation  VIII  and  CAIB  recommendation  6.2-1 
both  deal  with  the  shuttle  flight  rate  and  are  virtually  identical.  The  Rogers  Commission 
recommendation  VIII  reads: 

Flight  Rate.  The  nation's  reliance  on  the  Shuttle  as  its  principal  space 
launch  capability  created  a  relentless  pressure  on  NASA  to  increase  the 
flight  rate.  Such  reliance  on  a  single  launch  capability  should  be  avoided 
in  the  future. 

NASA  must  establish  a  flight  rate  that  is  consistent  with  its  resources.  A 
firm  payload  assignment  policy  should  be  established.  The  policy  should 
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include  rigorous  controls  on  cargo  manifest  changes  to  limit  the  pressures 
such  changes  exert  on  schedules  and  crew  training.50 

The  CAIB  recommendation  R6.2-1  reads: 

Adopt  and  maintain  a  Shuttle  flight  schedule  that  is  consistent  with 
available  resources.  Although  schedule  deadlines  are  an  important 
management  tool,  those  deadlines  must  be  regularly  evaluated  to  ensure 
that  any  additional  risk  incurred  to  meet  the  schedule  is  recognized, 
understood,  and  acceptable.57 

The  similarities  here  are  obvious,  with  one  line  of  the  CAIB  recommendation  a 
virtual  quote  of  the  Rogers  Commission  recommendation.  Although  this  was  a 
significant  topic  repeated  by  both  investigations,  it  is  unlikely  that  this  alone  could  have 
changed  the  outcome  of  the  Columbia.  The  NASA  budget  is  controlled  by  Congress, 
with  an  annual  budget  process,  however  NASA  projects  and  programs  require  several 
years,  or  even  decades,  to  complete.  Although  NASA  needs  to  assess  budgetary  changes, 
and  evaluate  the  risk  associated  with  changes  to  the  programs,  it  is  unlikely  that  NASA 
will  be  able  to  drastically  alter  their  project  plans  annually.  In  addition,  it  is  hard  to 
imagine  that  a  risk  assessment  of  the  Columbia  launch  pressures  would  have  influenced 
the  decisions  surrounding  that  mission.  Schedule  pressures  may  have  been  more  of  a 
factor  for  the  Challenger  launch,  as  the  schedule  ultimately  was  what  forced  them  to 
launch  in  such  cold  temperatures.  Had  the  schedule  been  more  flexible,  the  launch  could 
have  been  delayed  and  that  particular  mission  may  have  been  saved.  However,  there  was 
still  a  reoccurring  problem  with  the  O-ring  design,  which  was  not  meeting  the 
requirements.  As  a  result,  the  extreme  cold  on  the  day  of  the  Challenger  launch  may 
have  only  increased  the  risk  of  a  problem  that  was  bound  to  happen  at  some  point. 
Although  both  the  Rogers  Commission  and  the  CAIB  found  that  schedule  pressures  did 
contribute  to  the  accidents  and  therefore  included  this  important  recommendation  in  their 
reports,  these  recommendations  alone  are  unlikely  to  correct  the  primary  organizational 
problem  and  prevent  future  accidents.  In  fact,  NASA  sent  out  invitations  to  bid  on  the 


80  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  201. 

81  Columbia  Accident  Investigation  Board,  p.  226. 
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shuttle  operations  program  to  United  Airlines  and  American  Airlines82;  an  indication  of 
the  level  of  maturity  that  NASA  felt  had  been  reached  in  the  shuttle  program. 

2.  Organizational  Structure 

The  management  and  safety  structures  are  somewhat  related  and  are  included  in 
recommendations  from  both  committees.  Both  management  and  safety  must  have  an 
overarching  perspective  of  the  shuttle  program.  The  Rogers  Commission 
recommendation  II  as  well  as  the  CAIB  recommendation  7.5-3  deal  with  similar  issues, 
but  in  somewhat  different  ways.  Rogers  recommendation  II  states,  “A  redefinition  of  the 
Program  Manager's  responsibility  is  essential.  This  redefinition  should  give  the  Program 
Manager  the  requisite  authority  for  all  ongoing  STS  operations.  Program  funding  and  all 
Shuttle  Program  work  at  the  centers  should  be  placed  clearly  under  the  Program 
Manager’s  authority.”83  The  CAIB  recommendation  R7.5-3  is  similar  but  deals  not 
directly  with  the  management  of  the  shuttle  program,  but  with  the  technical  side  of  the 
problem,  the  integration  office.  It  states,  “Reorganize  the  Space  Shuttle  Integration 
Office  to  make  it  capable  of  integrating  all  elements  of  the  Space  Shuttle  Program, 
including  the  Orbiter.”84  The  integration  office  needs  to  be  at  an  organizational  level 
above  all  of  the  components  they  are  integrating,  so  that  no  single  component,  like  the 
orbiter,  is  in  a  different  structure  to  report  infonnation,  and  all  components  must  report  to 
the  Integration  Control  Board.  This  might  have  been  closer  to  what  the  Rogers 
Commission  was  trying  to  achieve  with  their  management  structure  recommendation. 
They  were  specifically  trying  to  deal  with  funding  and  oversight,  but  with  this  it  may 
have  been  assumed  that  better  organized  technical  expertise  would  follow.  However,  a 
different  management  organization  does  not  necessarily  change  the  way  technical 
decisions  are  made,  as  was  demonstrated  with  the  Columbia  accident.  Program 
Managers  typically  have  incentives  to  achieve  schedule  milestones,  and  this  can  easily  be 
measured  as  the  schedule  date  come  to  pass.  However,  a  Program  Manager  should  also 


82  Email  correspondence  from  ADM  (Ret)  Donald  Eaton,  10  February  2006. 

83  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  199. 

84  Columbia  Accident  Investigation  Board,  p.227. 
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have  some  incentive  components  relating  to  safety  and  quality.  These  aspects  may  be 
more  difficult  to  judge  success  in  order  to  reward  a  job  well  done,  but  failure  can  result  in 
catastrophic  events. 

The  new  management  structure  put  in  place  after  the  Challenger  accident  did  not 
significantly  change  how  the  shuttle  components  were  being  integrated,  and  did  not 
establish  technical  group  directly  responsible  for  the  top-level  integration  of  the  shuttle 
sub-systems  and  their  requirements.  Had  the  new  overarching  management  structure 
implemented  teams  with  high  levels  technical  oversight,  it  might  have  been  possible  to 
flag  the  reoccurring  foam  loss  problem  as  a  more  significant  risk  than  a  simple  in-flight 
anomaly.  In  addition,  many  of  the  changes  in  the  management  organization  put  in  place 
after  the  Challenger  accident  were  undone  later  years  due  to  changes  in  leadership  and  in 
an  effort  to  be  more  efficient  given  the  declining  budget  environment.  Therefore, 
although  similar,  the  CAIB  recommendation  stresses  the  importance  of  the  organization 
of  the  integration  office  and  their  responsibilities,  which  should  have  a  greater  impact  to 
future  missions. 

3.  Safety  Programs 

Both  committees  make  recommendations  for  an  independent  and  adequately 
funded  safety  program.  If  the  Rogers  Commission  recommendation  II,  which  addresses 
the  safety  organization  with  respect  to  the  central  management  structure,  was  adequately 
addressed  by  NASA,  it  could  have  had  some  impact  on  the  Columbia  accident. 
However,  the  Rogers  Commission  directly  addresses  their  concerns  with  the  safety 
program  in  recommendation  IV  which  states: 

NASA  should  establish  an  Office  of  Safety,  Reliability  and  Quality 
Assurance  to  be  headed  by  an  Associate  administrator,  reporting  directly 
to  the  NASA  Administrator.  It  would  have  direct  authority  for  safety, 
reliability,  and  quality  assurance  throughout  the  agency.  The  office  should 
be  assigned  the  work  force  to  ensure  adequate  oversight  of  its  functions 
and  should  be  independent  of  other  NASA  functional  and  program 
responsibilities'55. 


85  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  200. 
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The  CAIB  has  a  very  similar  recommendation,  R7.5-2  which  states  “NASA 
Headquarters  Office  of  Safety  and  Mission  Assurance  should  have  direct  line  authority 
over  the  entire  Space  Shuttle  Program  safety  organization  and  should  be  independently 
resourced.”86 

The  Columbia  accident  resulted  from  one  sub-system,  the  external  fuel  tank  foam 
insulation,  influencing  the  performance  of  another  shuttle  sub-system,  the  orbiter.  If  the 
management  structure  was  different,  and  the  safety  community  reorganized  with  more 
authority,  it  might  have  influenced  the  Columbia  by  changing  the  assessment  of  the 
reoccurring  foam  loss  problem.  An  adequately  funded  safety  program  could  have  had  the 
recourses  necessary  to  determine  the  frequency  of  the  foam  loss  problem  through  trend 
analysis.  However,  there  is  a  limited  amount  of  funding  for  the  safety  programs,  and  it  is 
a  difficult  balance  that  has  to  be  made  to  provide  adequate  safety  analysis  within  the 
programs  funding  constraints.  Since  there  is  never  enough  money  to  do  everything,  it  is 
necessary  to  rank  the  severity  of  problems,  to  ensure  the  highest  risk  items  are  dealt  with, 
and  as  many  of  the  lower  level  issues  are  addressed  as  possible.  Unfortunately,  the 
ranking  can  be  incorrect,  and  this  may  be  discovered  only  when  it  is  too  late.  In  the  years 
following  the  Challenger  accident,  NASA  seemed  to  revert  to  the  “prove  it  is  unsafe” 
vice  “prove  it  is  safe”  mentality  in  their  management  decisions.  Had  the  safety  office 
been  given  enough  authority  to  check  management  decisions  and  made  sure  that  NASA 
was  not  reverting  to  this  dangerous  practice,  the  foam  loss  problem  may  have  been  better 
analyzed  and  a  proper  risk  assessment  been  made  of  the  dangers  to  the  reentry  of  the 
orbiter. 

In  addition  to  recommending  an  independent  safety  program,  the  CAIB  went  a 
step  further  with  the  addition  of  a  Technical  Engineering  Authority.  As  stated  in  CAIB 
recommendation  R7.5-1 : 

Establish  an  independent  Technical  Engineering  Authority  that  is 
responsible  for  technical  requirements  and  all  waivers  to  them,  and  will 
build  a  disciplined,  systematic  approach  to  identifying,  analyzing,  and 
controlling  hazards  throughout  the  life  cycle  of  the  Shuttle  System.  The 
independent  technical  authority  does  the  following  as  a  minimum: 

86  Columbia  Accident  Investigation  Board,  p.  227. 
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•  Develop  and  maintain  technical  standards  for  all  Space  Shuttle 
Program  projects  and  elements 

•  Be  the  sole  waiver-granting  authority  for  all  technical  standards 

•  Conduct  trend  and  risk  analysis  at  the  sub-system,  system,  and 
enterprise  levels 

•  Own  the  failure  mode,  effects  analysis  and  hazard  reporting 
systems 

•  Conduct  integrated  hazard  analysis 

•  Decide  what  is  and  is  not  an  anomalous  event 

•  Independently  verily  launch  readiness 

•  Approve  the  provisions  of  the  re-certification  program  called  for  in 
Recommendation  R9. 1  - 1 . 

The  Technical  Engineering  Authority  should  be  funded  directly  from 

NASA  Headquarters,  and  should  have  no  connection  to  or  responsibility 

for  schedule  or  program  cost.57 

This  may  be  the  additional  recommendation  that  could  make  the  difference  in  the 
post  Columbia  NASA  that  did  not  seem  to  happen  in  the  post  Challenger  NASA.  The 
physical  causes  of  both  accidents  were  problems  that  were  happening  in  a  non- 
catastrophic  way  before  the  accident,  and  were  deviations  from  specifications.  In 
retrospect  it  appears  that  the  data  existed  to  indicate  either  erosion  of  the  design  margin, 
or  a  minimal  margin,  but  that  data  was  not  adequately  assessed.  The  o-ring  joints  were 
failing  but  it  was  believed  there  was  a  backup  ring,  so  the  out  of  spec  part  was  not 
quickly  investigated  and  fixed.  Damage  from  foam  hitting  tiles  happened  on  almost 
every  flight,  and  although  there  was  a  requirement  for  this  not  to  happen,  it  was  accepted 
and  treated  as  a  maintenance  issue.  This  new  technical  authority,  along  with  an 
independent  safety  community,  may  have  made  different  decisions  regarding  the  failing 
o-rings  or  foam  loss  problem,  or  would  likely  have  input  into  the  requests  to  photograph 
the  Columbia  in  orbit  to  assess  possible  damage  before  attempting  re-entry. 

Procedures  and  databases  are  essential  for  complex  systems.  Before  a  mission  or 
upgrade,  it  should  be  easy  to  determine  the  outstanding  issues  (like  the  foam  loss  hazard 
report  that  was  ignored)  and  ensure  all  testing  is  complete.  This  recommendation  should 

Columbia  Accident  Investigation  Board,  p.  227. 
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eliminate  the  practice  of  the  delta  approach  to  readiness  reviews.  This  delta  approach,  as 
discussed  in  the  data  section,  allowed  only  new  problems  to  be  discussed  in  a  flight 
readiness  review,  while  any  problem  that  had  been  seen  before  and  determined  within 
acceptable  risk  was  from  then  on  ignored.  Presuming  it  is  adequately  resourced,  this  new 
technical  engineering  authority  will  be  performing  trend  analysis  and  risk  assessments 
that  should  show  when  a  problem  is  not  going  away,  or  is  not  being  fixed. 

However,  this  new  organization  cannot  exist  and  properly  execute  their  task 
without  a  change  in  NASA’s  cultural  acceptance  of  risk.  The  Rogers  Commission  asserts 
that  a  management  system  that  emphasizes  safety  would  have  flagged  the  rising  doubts 
about  the  SRM  joint  seal.  However  if  the  culture  is  such  that  the  lack  of  action  to  reduce 
the  risk  becomes  acceptable,  the  working  level  motivation  for  continued  pressure  on 
safety  is  impacted.  NASA  must  strive  to  be  a  learning  organization,  and  determine  root 
causes  of  problems.  Over  time,  efforts  should  be  made  to  change  those  causal  factors  as 
well  as  the  specific  issue.  NASA  must  never  revert  to  accept  the  premise  that  proof  is 
needed  to  show  it  is  unsafe  before  a  mission  is  aborted. 

This  recommendation  could  be  the  difference  between  the  organizational 
recommendations  of  the  Challenger  that  will  make  a  difference  in  the  future  NASA. 
Giving  a  group  independence  and  authority  to  halt  a  launch  and  assess  all  hazards  and 
requirement  waivers  could  be  what  NASA  needs  to  make  sure  they  do  not  slip  back  to 
their  old  culture.  Hopefully  this  new  authority  will  be  set  up  as  intended  by  the  CAIB, 
and  they  will  always  require  proof  that  it  is  safe,  not  proof  that  it  is  unsafe. 

B.  QUESTION  TWO 

Although  the  Rogers  Commission  viewed  its  mandate  as  quite  broad,  they 
specifically  indicated  in  their  report  that  they  did  not  perform  a  detailed  investigation  of 
all  aspects  of  the  Space  Shuttle  program,  such  as  budgetary  matters  or  in  areas  that  would 
supersede  Congressional  powers.  No  investigation  can  completely  erase  the  future  risk. 
However,  given  the  magnitude  of  the  analysis  available  following  the  Challenger 
accident  it  is  beneficial  to  examine  if  the  CAIB  captured  any  of  the  causal  factors.  In 
light  of  factors  that  were  identified  by  other  researchers  after  the  Rogers  Commission 
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finished  their  investigation  and  the  possibility  that  some  of  these  factors  were  also 
important  to  the  Columbia  accident  (including  the  findings  of  their  preceding  analysis),  it 
is  appropriate  to  ask: 

Are  there  factors,  that  neither  investigation  identified,  that  should  be 
considered  in  helping  to  prevent  future  catastrophic  occurrences  in 
complex  engineering  development  projects? 

While  the  Rogers  Commission  discussed  design  flaws  that  contributed  directly  to 
the  Challenger  accident,  they  did  not  identify  other  design  issues  that  may  have  adversely 
impacted  the  future  of  the  shuttle  program,  including  those  that  may  have  played  a  role  in 
the  Columbia  accident.  There  were  several  design  modifications  identified  in  the  post- 
Challenger  investigations  that  have  gone  unidentified  by  either  commission  that  could 
continue  to  pose  risk  to  the  shuttle  program  but  also  serve  as  an  example  of  pitfalls  that 
could  befall  many  complex  engineering  development  projects. 

As  discussed  in  the  historical  context  discussion,  the  Space  Shuttle  started  out  as  a 
two  stage  (booster-orbiter)  design  where  both  stages  were  to  be  piloted,  reusable  vehicles. 
However,  even  though  this  design  offered  lower  life  cycle  cost,  it  had  high  R&D  costs 
which  became  increasingly  difficult  to  defend  through  the  political  and  budget  process. 
In  this  original  design  both  the  booster  vehicle  and  the  orbiter  would  operate  using 
cryogenic-liquid  propulsion  systems  which  NASA  had  a  great  deal  of  experience  and 
confidence  in  safety.  In  order  to  make  the  system  more  affordable,  the  booster  design 
was  changed  to  be  only  partially  reusable  with  the  expendable  boosters  changed  to  solid 
rockets  thus  avoid  the  high  cost  of  designing  liquid  system  plumbing  that  would  survive 
water  impact  and  permit  turnaround  for  reuse.  Further,  the  Commission  did  not  identify 
questionable  acquisition  decisions  to  procure  the  SRBs  from  a  land  locked  contractor 
which  forced  the  SRB  to  be  a  segmented  design  as  opposed  to  choosing  a  contractor  who 
could  have  built  the  SRBs  as  a  single  unit  avoiding  the  O-ring  design  entirely. 
McConnell  presents  a  convincing  case  that  politics  not  technical  reasons  led  to  the  choice 
of  Utah  based  Thiokol  by  Utah  native  NASA  Administrator  James  Fletcher88.  While  the 
Rogers  Commission  identified  flaws  in  the  booster  design,  they  did  not  go  back  in  time 
further  to  question  the  design  change  that  led  to  the  boosters  in  the  first  place.  Nor  did 

88  McConnell,  pp.  50-56. 
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they  look  at  other  changes  made  to  the  original  design  that  may  have  led  to  other  risks 
due  to  a  sub-optimal  design.  It  is  likely  that  they  viewed  this  as  ‘water  under  the  bridge’ 
but  such  an  investigation  may  have  given  NASA  information  to  update  those  items  that 
perhaps  should  be  reexamined  going  forward. 

Just  as  the  Rogers  Commission  identified  design  flaws  with  the  SRBs  but  did  not 
investigate  the  underlying  decision  to  use  SRBs,  the  CAIB  identified  numerous  issues 
with  foam  shedding  from  the  external  tank  and  tile  damage,  but  did  not  investigate  deeper 
design  decisions  that  led  to  the  current  problem.  Returning  once  again  to  the  two  stage 
piloted  booster-orbiter  concept  we  find  that  the  original  orbiter  was  to  be  a  straight 
winged  design  and  much  smaller  due  to  the  fact  that  the  booster  contained  engines 
powerful  enough  to  avoid  reliance  on  orbiter  engines.  It  is  this  design  for  which  the 
thennal  protective  tile  design  was  originally  intended.  According  to  Trento  this  design 
was  well  suited  for  the  application  of  tiles.89  However  in  order  to  get  buy  in  from  the  Air 
Force,  critical  for  continuation  of  the  program,  the  orbiter  design  had  to  be  changed  to 
meet  the  cross  range  requirement.  It  proved  difficult  to  adapt  the  tile  concept  to  the  new 
delta  wing  concept  with  its  complex  curved  surfaces.  Further,  the  change  from  the 
booster  vehicle  to  the  external  tank  and  SRBs  also  introduced  the  foam-shedding  hazard 
that  coupled  with  the  fragile  tiles  led  to  the  Columbia  accident. 

This  new  design  had  an  initial  requirement  for  no  shedding  of  foam  which 
allowed  the  continued  use  of  the  thermal  protection  system;  resulting  in  minimal 
requirements  to  withstand  damage.  The  first  flight  of  the  shuttle  resulted  in  great  concern 
when  it  was  determined  that  a  large  number  of  tiles  needed  to  be  replaced.  However,  as 
in  the  case  of  the  Challenger,  the  continued  success  of  the  flights  despite  the 
acknowledgement  of  deviance  was  used  by  NASA  as  a  way  of  showing  the  robustness  of 
the  design  rather  than  an  identification  of  a  latent  problem.  There  is  a  key  lesson  here  for 
not  only  NASA  but  also  other  organizations  managing  complex  engineering  development 
projects.  Data  that  indicates  a  sub-optimal  design  should  not  be  misconstrued  as  an 
indication  of  a  robust  design.  Further,  this  is  an  example  common  to  subsystem 
engineering,  that  is  that  when  one  part  of  the  organization  changes  the  design  to  meet  a 

89  McConnell,  p.  40. 
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new  or  changed  requirement,  that  other  parts  of  the  organization  cannot  assume  there  is 
no  change  needed  to  their  portion  of  the  design.  It  is  important  to  note  that  although  both 
Commissions  have  now  completed  their  work  the  Space  Shuttle  is  still  flying  with 
external  tanks,  SRBs  and  protection  tiles.  A  reason  for  this  is  that  the  commissions  were 
chartered  to  find  out  why  the  mishaps  occurred  and  recommend  corrective  actions,  rather 
than  implement  them. 

It  is  unlikely  that  the  identification  of  the  design  compromises  by  the  Rogers 
Commission  would  have  prevented  the  Columbia  accident  due  to  the  extreme  extent  of  a 
redesign.  In  fact  the  Rogers  Commission  did  identify  the  need  for  a  crew  escape 
capability  (part  of  the  original  shuttle  concept  and  then  removed)  as  recommendation  VII 
in  their  report,  but  investigations  by  NASA  determined  that  it  was  not  feasible  to  retrofit 
the  shuttle  with  this  capability.  Nor  is  it  expected  that  a  redesign  of  the  shuttle  system 
would  occur  based  on  a  CAIB  identification  of  the  sub-optimal  design.  However,  it  is 
appropriate  for  commissions  to  make  such  recommendations  as  a  warning  against 
extracting  politically  palatable  agreements  through  technological  compromises.  When 
outside  forces  cause  engineering  design  changes  it  is  important  to  iterate  the  system 
engineering  processes  to  ensure  that  the  changes  do  not  invalidate  earlier  engineering 
decisions.  It  is  imperative  to  revisit  engineering  decisions  to  see  if  a  change  made  for 
political  reasons  requires  a  more  extensive  reengineering  effort.  Unfortunately,  complex 
engineering  projects  are  often  faced  with  the  problem  that  Vaughan  attributed  to  the 
Space  Shuttle,  “NASA  received  political  endorsement  of  the  Shuttle  Program  and  its 
mission  without  the  political  commitment  necessary  to  provide  resources  adequate  to 
meet  program  goals.”90 

Another  area  that  each  investigation  paid  only  tangential  attention  to  was  the 
budgetary  and  political  pressures  that  result  in  management  action  that  contributed  to 
increase  risk  in  shuttle  operations.  In  fact,  in  the  case  of  the  Rogers  Commission,  they 
specifically  stated  “...the  Commission  did  not  construe  its  mandate  to  ...  to  review 
budgetary  matters.”91  However,  at  least  one  of  the  Commission  members,  Richard.  P. 
Feynman,  who  was  a  Nobel  Laureate  in  physics,  felt  strongly  enough  about  these  matters 

90  Vaughan,  p.  30. 

91  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1. 
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that  a  separate  Appendix  was  included  in  the  report  to  document  his  personal  feelings. 
He  points  to  a  large  disconnect  between  the  level  of  risk  of  loss  of  the  shuttle  vehicle  and 
human  life  between  the  engineers  and  shuttle  management.  He  claims  that  management 
believes  the  probability  of  failure  is  a  thousand  times  less  than  the  engineers  working  the 
program.92  He  claims  that  this  is  either  an  incredible  lack  of  communication  between  the 
working  level  and  management  or  an  attempt  to  assure  those  who  fund  NASA's  programs 
that  the  program  remains  executable.  In  many  ways,  the  observations  of  Feynman  were 
later  confirmed  and  expanded  by  Dr  Vaughan’s  research  and  findings  of  acceptance  of 
risk  and  nonnalization  of  deviance.  However,  Feynman  applies  a  stronger  role  to 
working  within  the  pressures  of  the  NASA  budget  and  political  environment  than  Dr. 
Vaughan.  Feynman’s  statement,  “We  have  also  found  that  certification  criteria  used  in 
Flight  Readiness  Reviews  often  develop  a  gradually  decreasing  strictness,”93  was  later 
echoed  in  Post  Challenger  investigations,  including  Dr.  Vaughan’s.  Feynman  maintains 
that  the  rigorous  certification  criteria  were  slowly  altered  with  incremental  logical 
decisions  that,  in  the  aggregate,  result  in  increased,  unacknowledged  risk  to  the  program. 
This  is  a  common  problem  faced  in  execution  of  complex  technological  projects  that  rely 
upon  continued  justification  of  funding;  there  is  often  pressure  to  maintain  the  impression 
of  invincibility  as  opposed  to  admitting  to  technological  weaknesses  and  working  to 
correct  them. 

C.  QUESTION  THREE 

Especially  in  technical  communities,  one  of  the  least  understood,  imprecise, 
cryptic,  and  hardest  factors  to  address  is  an  organization’s  structurally-embedded  culture, 
with  its  associated  strengths  and  vulnerabilities.  Thus,  question  three  takes  on  this  aspect 
of  this  analysis  by  posing  the  question,  “What  problems  existed  in  the  NASA  culture 
during  the  times  of  both  accidents?” 


92  Ibid.,  Volume  II,  Appendix  F,  p.  F-4. 

93  Ibid.,  p.  F-l. 
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1.  Introduction 

In  our  view  the  NASA  organizational  culture  had  as  much  to  do  with  this 
accident  as  the  foam.w 

The  quote  above  from  the  Columbia  Accident  Investigation  Board  leaves  little 
doubt  as  to  the  gravity  with  which  the  Board  viewed  the  cultural  reasons  for  the 
Columbia  disaster.  To  begin  this  analysis,  a  working  definition  of  culture  is  required. 
Culture  can  be  defined  as  the  shared  beliefs,  behavioral  norms,  and  values  of  an 
organization,  often  driven  by  unspoken  assumptions.  This  is  often  described  by  people 
within  an  organization  as  “the  way  we  do  things  here.”95  As  noted  in  the  CAIB  report, 
the  culture  of  an  organization  is  a  tremendously  potent  and  enduring  force  that  persists 
below  the  veneer  of  reorganizations  and  personnel  changes.96  Many  outsiders  and 
recently,  more  and  more  NASA  insiders  believe  that  the  cultural  problems  at  NASA 
persisted  from  the  time  of  Challenger  to  Columbia,  and  that  changes  implemented  in  the 
post  -Challenger  NASA  organization  were  simply  surface  level  and  impermanent,  akin  to 
rearranging  the  deck  chairs  on  the  Titanic.  This  assessment  is  shared  by  technologists, 
safety  experts,  social  scientists,  and  people  at  all  levels  of  the  federal  government.  This 
sentiment  was  voiced  in  a  homespun  way  by  Senator  Ernest  “Fritz”  Hollings  (D-S.C.), 
who  remarked  during  a  Senate  Commerce  Committee  hearing  on  the  results  of  the 
CAIB’s  report,  “There’s  no  education  in  the  second  kick  of  a  mule.  I’m  hearing  the  same 
things  I  listened  to  seventeen  years  ago.”97  Words  that  hit  closer  to  home  are  those  of  Dr. 
Sally  Ride,  America’s  first  woman  astronaut  and  a  member  of  both  the  Rogers 
Commission  and  the  CAIB,  who  stated  she  heard  “echoes”  of  the  Challenger  tragedy  in 
the  Columbia  accident 98 

9^  Columbia  Accident  Investigation  Board,  p.  97. 

95  “Assessment  and  Plan  for  Organizational  Change  at  NASA,”  Behavioral  Science  Technology 
(BST),  15  March  2004,  p.6. 

96  Columbia  Accident  Investigation  Board,  p.  101. 

97  B.  Berger,  "Lawmakers  Press  O’Keefe  For  Cost  Figures,"  3  September  2003, 
[http://www.space.com/news/nasa_hearing_030903.html],  Last  accessed  December  2003.  Senator 
Flollings  directed  his  remarks  to  NASA  Administrator  Sean  O’Keefe,  and  ADM  Flarold  Gehman  (USN, 
ret),  head  of  the  Columbia  Accident  Investigation  Board,  during  their  testimony  to  the  Senate  Commerce, 
Science,  and  Transportation  Committee. 

98  Testimony  of  Dr.  D.  Vaughan,  Columbia  Accident  Investigation  Board  Public  Hearing  Transcript, 

23  April  2003,  [  http://www.caib.us/events/public_hearings/20030423/transcript_pm.html],  Last  accessed 
June  2003. 
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In  the  intervening  years  between  Challenger  and  Columbia,  awareness  of  cultural 
aspects  of  organizational  perfonnance  and  behavior  has  become  more  understood  and 
assessed  within  both  private  and  public  entities.  Thus,  the  investigation  and  discussion  of 
cultural  problems  at  NASA  prior  to  the  Columbia  incident  are  much  more  a  part  of  the 
CAIB’s  formal  investigation  and  the  associated  public  discussion  than  that  pursued  by  the 
Rogers  Commission.  The  CAIB’s  direct  and  candid  assessment  of  NASA’s  cultural 
deficiencies  is  exemplified  by  the  following: 

The  organizational  causes  of  this  accident  are  rooted  in  the  Space  Shuttle 
Program’s  history  and  culture.... Cultural  traits  and  organizational 
practices  detrimental  to  safety  were  allowed  to  develop, 
including:...  organizational  barriers  that  prevented  effective 
communication  of  critical  safety  information  and  stifled  professional 
differences  of  opinion... and  the  evolution  of  an  informal  chain  of 
command  and  decision-making  processes  that  operated  outside  the 
organization’s  rules." 

Furthermore,  since  Columbia,  NASA  itself  has  spoken  publicly  about  “culture” 
and  the  need  to  fix  what  is  generally  perceived  as  broken  within  it.  There  has  also  been 
the  required  acknowledgement  that  culture  is  more  difficult  to  fix,  especially  when  the 
organization  itself  is  a  technocratic  entity  that  isn’t  even  sure  what  “culture”  means.  The 
major  cultural  problems  during  the  times  of  Challenger  and  Columbia  can  be  distilled 
down  to  the  following: 

•  Requiring  engineering  personnel  to  prove  a  negative  -  prove  to  management  that 
a  system  isn’t  safe  for  flight  rather  than  being  required  to  provide  it  is  safe  for 
flight. 

•  Risk  acceptance  and  the  normalization  of  deviance 

•  Groupthink 

2.  Proving  a  Negative 

Perhaps  first  and  foremost,  one  of  the  most  recognizable  and  glaring  cultural 
problems  at  NASA  that  was  present  during  both  the  Challenger  and  Columbia  eras  was 
that  instead  of  being  required  to  demonstrate  that  a  system  was  safe  for  flight,  NASA 
engineers  and  those  of  their  contractors  were  required  to  rather  prove  it  wasn’t  safe  to  fly 
the  shuttle.  The  Rogers  Commission  found  this  to  be  the  case  with  engineering  decisions 

"  Columbia  Accident  Investigation  Board,  p.  177. 
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surrounding  the  decision  to  launch  Challenger  as  did  the  CAIB  with  circumstances 
surrounding  the  foam  strike  on  Columbia  and  its  post-launch  assessment  and  imagery 
request. 

In  the  case  of  the  Challenger  accident,  Thiokol  personnel  believed  that  suddenly 
roles  had  switched  and  they  had  now  been  put  on  the  spot  by  NASA  to  establish  it  was 
not  safe  to  fly  STS  51-L  rather  than  safe  to  do  so.  Roger  Boisjoly,  Thiokol’s  O-ring 
expert,  stated  during  his  testimony  to  the  Rogers  Commission  regarding  the  27  January 
1987  NASA  -  Thiokol  phone  conference  that  “this  was  a  meeting  where  the 
determination  was  to  launch,  and  it  was  up  to  us  to  prove  beyond  a  shadow  of  a  doubt 
that  it  was  not  safe  to  do  so.  This  is  in  total  reverse  to  what  the  position  is  in  a  preflight 
conversation.”100  Further  substantiation  was  voiced  by  Robert  K.  Lund,  Thiokol’s  vice 
president  for  engineering  during  the  time  of  Challenger,  who  testified  before  the  Rogers 
Commission  that  he  and  other  Thiokol  personnel  changed  their  recommendation  [from 
no-go  to  go  for  launch]  because  “we  had  to  prove  to  them  that  we  weren’t  ready,  and  so 
we  got  ourselves  in  the  thought  process  that  we  were  trying  to  find  some  way  to  prove  to 
them  it  wouldn’t  work,  and  we  were  unable  to  do  that.  We  couldn’t  prove  absolutely  that 
that  motor  wouldn’t  work.”101 

Finally,  the  shift  in  NASA’s  cultural  norm  from  “prove  to  me  it  is  safe”  to  “prove 
to  me  it  is  not  safe”  was  recognized  by  astronaut  Bob  Crippen,  the  pilot  of  the  first  Space 
Shuttle  Mission,  when  he  stated  during  a  Rogers  Commission  hearing: 

Since  the  earliest  days  of  the  manned  space  flight  program  that  I’ve  been 
associated  with  and  Mr.  Armstrong  [Neil  Armstrong,  the  vice-chairman  of 
the  Rogers  Commission]  has  been  associated  with,  our  basic  philosophy 
is:  Prove  to  me  we’re  ready  to  fly.  And  somehow  it  seems  in  this 
particular  instance  we  have  switched  around  to:  Prove  to  me  [that]  we  are 
not  able  to  fly.  I  think  that  was  a  serious  mistake  on  NASA’s  part. .  ,102 

In  exploring  the  cultural  defects  that  contributed  to  the  Columbia  accident,  the 
CAIB  stated,  “Both  Challenger  and  Columbia  engineering  teams  were  held  to  the  usual 
quantitative  standard  of  proof.  But  it  was  a  reverse  of  the  usual  circumstance  instead  of 

100  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  93. 

101  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  Vol.  4,  p.  811. 

10-  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  Vol.  4,  p.  632. 
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having  to  prove  it  was  safe  to  fly,  they  were  asked  to  prove  that  it  was  unsafe  to  fly.”103 
The  CAIB’s  belief  on  this  point  was  reinforced  by  its  finding  F6.3-22,  which  stated  that 
NASA  managers  required  engineers  to  prove  that  the  foam-strike  led  to  a  safety-of-flight 
issue,  rather  than  having  to  prove  the  system  was  safe.104  If  further  proof  of  this 
persistent  cultural  flaw  is  required,  one  needs  to  look  no  further  than  NASA’s 
Administrator,  Sean  O’Keefe,  who  stated  that  NASA  would  once  again  change  its  dictum 
from  “prove  to  me  that  it’s  not  safe”  to  “prove  to  me  that  it  is  safe.”105 

3.  Risk  Acceptance  and  Normalization  of  Deviance 

One  of  the  most  explored  areas  of  organizational  culture  with  respect  to  the 
Challenger  and  Columbia  incidents  is  that  of  the  idea  of  risk  acceptance  and  the 
nonnalization  of  deviance,  as  described  by  Diane  Vaughan.  This  theory  has  been  applied 
by  Dr.  Vaughan  in  great  detail  to  the  Challenger  accident.  At  the  time  of  this  writing,  her 
nonnalization  of  deviance  theory  has  been  used  as  an  investigative  tool  by  the  CAIB  and 
others  in  a  preliminary  manner.  As  discussed  previously  in  Section  III,  Dr.  Vaughan 
defines  nonnalization  of  deviance  as  the  inclination  of  organizations  to  accept  risk  as 
well  as  deviances  from  specifications  and  expected  outcomes  based  on  previous 
successes,  regardless  of  the  predicted  probability  of  these  results. 

In  the  case  of  the  Challenger,  after  the  first  accepted  O-ring  erosion  event  during 
STS-2,  the  second  shuttle  flight  in  November  198 1106,  there  was  a  gradual  acceptance  of 
more  O-ring  erosion  events,  which  built  upon  the  NASA  engineering  database,  of 
anomalous,  but  acceptable  risk  due  to  O-ring  blow-by.  This  acceptance  and 
nonnalization  of  risk  occurred  at  the  highest  levels  of  NASA  management,  such  as  during 
the  Flight  Readiness  Reviews  for  STS-41C,  when  the  notion  that  some  O-ring  erosion 
was  deemed  acceptable  by  Lawrence  Mulloy,  the  SRB  project  manager  at  Marshall 
Space  Flight  Center  because  of  the  redundant  SRB  O-ring  seals.107  The  magnitude  of 

103  Columbia  Accident  Investigation  Board,  p.  201. 

104  Columbia  Accident  Investigation  Board,  p.  172. 

105  House  of  Representatives,  Committee  on  Science  and  Technology,  One  Hundred  and  Eighth 
Congress,  Second  Session,  NASA ’s  Response  to  the  Columbia  Report,  Government  Printing  Office, 
Washington,  DC.,  2003. 
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this  deviation  nonnalization  can  be  seen  in  the  shuttle  missions  from  1984  up  to  the 
Challenger  accident.  During  this  time  period,  three  of  four  flights  in  1984  exhibit  O-ring 
erosion,  as  did  eight  of  nine  flights  in  1985,  and  the  12  January  1986  mission  that 
preceded  Challenger .  At  both  Marshall  and  Thiokol,  senior  management  deemed  the  O- 
ring  erosion  as  allowable,  acceptable  risk.108  Dr.  Richard  Feynman,  the  renowned 
physicist,  Noble  Laureate  and  Rogers  Commission  member,  noted  this  risk  nonnalization 
behavior  in  his  appendix  to  the  Commission’s  report.  Dr.  Feynman  remarked,  “We 
[Commission  members]  have  also  found  that  certification  criteria  used  in  Flight 
Readiness  Reviews  often  develop  a  gradually  decreasing  strictness.”109  Feynman  goes 
on  to  assert 

The  phenomenon  of  accepting  for  flight,  seals  that  had  shown  erosion  and 
blow-by  in  previous  flights,  is  very  clear... The  acceptance  and  success  of 
these  flights  is  taken  as  evidence  of  safety.  But  erosion  and  blow-by  are 
not  what  the  design  expected.  They  are  warnings  that  something  is 
wrong. .  .The  fact  that  this  danger  did  not  lead  to  a  catastrophe  before  is  no 
guarantee  that  it  will  not  happen  next  time... When  playing  Russian 
roulette  the  fact  that  the  first  shot  got  off  safely  is  little  comfort  for  the 
next. 1 10 


Feynman’s  comparison  of  NASA’s  behavior  of  deviance  normalization  to  a  game 
of  Russian  roulette  provides  a  vivid  image  of  just  how  far  this  behavior  had  gone. 

As  stated  in  the  discussion  of  the  Rogers  Commission  investigation,  right  up  to 
the  night  before  the  Challenger  launch,  both  NASA  and  Thiokol  engineers  analyzed  the 
obvious  proof  that  that  SRB  O-ring  design  was  not  functioning  as  designed,  but  through 
risk  acceptance  and  nonnalization  of  deviance,  this  negative  event  was  transformed  into 
an  acceptable  and  non-deviant  event.  The  acceptance  of  this  launch  risk  was  based  in 
part  on  incorrect  emphasis  on  meeting  a  launch  window  as  the  top-level  objective,  not 
executing  a  launch  within  the  bounds  of  the  known,  safe  launch  environment.  Thus,  as 


108C.W.  Choo,  The  Knowing  Organization,  p.  159,  Oxford  University  Press,  New  York,  1998. 

109  Feynman,  p.  F-l. 

110  Feynman,  p.  F-l. 
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Dr.  Vaughan  stated  in  her  presentation  before  the  CAIB,  the  “eve  of  the  launch 
teleconference  was  one  more  decision  in  a  long  line  of  decisions  that  gradually  expanded 
the  bounds  of  acceptable  risk.”111 

In  the  case  of  the  Columbia  incident,  the  same  ominous  pattern  of  accepting 
anomalous  foam  strikes,  with  no  apparent  high  risk  outcomes  as  “normal”,  occurred  on 
the  part  of  NASA.  The  end  result  was  just  as  tragic  as  Challenger’s.  As  stated 
previously  in  this  analysis,  the  CAIB’s  investigation  revealed  that  NASA  managers  at  the 
time  of  Columbia  had  come  to  accept  the  fuel  tank  foam  loss  and  subsequent  impact  on 
the  orbiter  as  acceptable.  In  effect,  NASA  management  used  past  success,  despite 
deviations  from  the  system’s  intended  design  and  functionality,  as  validation  of  the 
likelihood  of  future  mission  success.112  This  mode  of  organizational  thinking  can  be 
thought  of  as  an  unwise  effort  to  adhere  to  a  “success-oriented”  program  or  schedule. 
This  is  epitomized  by  the  CAIB  report’s  assessment  that  risk  nonnalization  was  evident 
after  the  flight  of  STS- 112,  when  two  more  shuttle  flights  were  scheduled  without 
hearing  back  from  the  team  investigating  the  foam  strike  during  that  mission.  The  CAIB 
report  states,  “It  seems  that  Shuttle  managers  had  become  conditioned  over  time  to  not 
regard  foam  loss  or  debris  as  a  safety-of-flight  concern.”113  Furthennore,  the  CAIB 
report  reveals  that  Linda  Ham,  the  STS- 107  Mission  Management  Team  Chair, 
specifically  treated  the  foam  shedding  problem  as  a  maintenance  one,  not  one  of 
safety.114  In  an  interview  following  the  release  of  the  CAIB’s  report,  Admiral  Harold 
Gehman  (USN,  ret),  the  CAIB’s  chairman,  when  discussing  NASA  cultural  nonn  of 
deviation  normalization  and  flawed  risk  acceptance,  stated,  “If  you  [NASA]  got  away 
with  it  ten  times  in  the  past  then  it  must  be  right.  They  really  believe  that,  or  some  of 
them  believe  it.”115 

111  Testimony  of  Dr.  D.  Vaughan,  Columbia  Accident  Investigation  Board  Public  Hearing  Transcript, 
23  April  2003,  [http://www.caib.us/events/public_hearings/20030423/transcript_pm.html],  Last  accessed 
June  2003. 

112  Columbia  Accident  Investigation  Board,  p.  100. 

113  Columbia  Accident  Investigation  Board,  p.  125. 

114  Columbia  Accident  Investigation  Board,  p.  200. 

113  Admiral  H.  Gehman  (USN,  ret),  as  quoted  in:  “Trying  Corps  Values  and  More,  at  NASA,” 

Sawyer,  K.  Washington  Post,  September  2003,  p.  A17,  [http://www.washingtonpost.com],  Last  accessed 
October  2003. 
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Diane  Vaughan,  in  her  previously  discussed  testimony  before  the  CAIB, 
recommended  that  NASA’s  organizational  system  and  culture  become  targets  for 
change.116  Dr  Vaughan  has  further  stated,  “ Challenger ,  like  Columbia  was  an 
institutional  failure.  That  is,  it  wasn’t  a  matter  of  the  decision-making  structure.  It  had  to 
do  with  the  entire  organization  [NASA]  and  its  culture,  and  the  critical  parts  that  really 
didn’t  get  changed.”117  Thus,  those  echoes  to  which  Dr.  Ride  alluded  in  her  commentary 
on  the  Columbia  seem  to  resonate  loud  and  clear. 

4.  Group  think  -  When  Too  Much  Cohesion  is  a  Perilous  Thing 

a.  Introduction 

Another  significant  and  stubborn  problem  is  the  continuation  of 
groupthink  from  Challenger  to  Columbia.  It  should  be  noted  however,  that  Groupthink 
and  Diane  Vaughan’s  theory  of  risk  normalization  could  be  considered  as  competing 
cultural  models,  not  concurrent  ones.  This  is  the  position  Dr.  Vaughan  has  taken  in  her 
writings  and  statements.  However,  for  the  purposes  of  this  analysis,  the  authors  are 
treating  groupthink  and  risk  nonnalization  as  plausible  concurrent  and  complementary 
culture  problems  at  NASA. 

b.  Groupthink  Defined 

Groupthink  is  the  term  coined  by  the  noted  Yale  research  psychologist, 
Irving  L.  Janis,  to  describe  the  phenomenon  by  which  a  talented,  intelligent,  high- 
performing,  and  usually  high-powered  group  makes  horrible  decisions.  Janis  defined 
groupthink  as  “a  quick  and  easy  way  to  refer  to  a  mode  of  thinking  that  persons  engage  in 
when  they  are  deeply  involved  in  a  cohesive  in-group,  when  concurrence-seeking 
becomes  so  dominant  that  it  tends  to  override  critical  thinking  or  realistic  appraisal  of 
alternative  courses  of  action.”118  Janis’s  research,  which  formed  the  foundation  for  his 
groupthink  theory,  was  based  on  an  examination  of  “notorious,”  as  Janis  himself  put  it, 
decisions  made  by  governmental  leaders  over  many  years.  These  included  such  debacles 
as  the  Bay  of  Pigs,  the  attack  on  Pearl  Harbor,  the  escalation  of  the  Vietnam  War,  the 

116  Testimony  of  Dr.  D.  Vaughan,  Columbia  Accident  Investigation  Board  Public  Hearing  Transcript. 

117  D.  Vaughan,  as  quoted  in:  “Columbia  Investigator  Fears  NASA  Won’t  Change.”  Dunn,  M.  1 
August  2003.  [http://www.space.com/missionlaunches/stsl07_ohseroff_030801.html],  Last  accessed 
October  2003. 

118  I.L.  Janis,  Groupthink,  2nd  edition,  p.8,  Houghton  Mifflin,  Boston,  1982. 
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miscalculation  that  lead  China  to  enter  the  Korean  Conflict,  and  the  policy  of 
appeasement  used  by  Neville  Chamberlain  in  his  government’s  fruitless  attempt  to 
placate  Nazi  Germany  prior  to  World  War  II.  Since  Janis’s  case  studies  involved  all 
different  sorts  of  high-perfonning,  bureaucratic,  risk-intensive  organizations,  the 
presence  of  groupthink  is  relatively  easy  to  identify,  and  then  by  following  Jams’ 
recommendations,  an  organization  can  blunt  its  negative  effects. 

See  Appendix  C  for  the  detailed  description  of  groupthink,  which  support 
the  analysis  that  follows. 

c.  Groupthink  and  Challenger 

In  the  case  of  the  Challenger  disaster,  a  review  of  the  data  and  discussion 
previously  presented  in  this  paper  in  Section  III,  Investigations,  combined  with 
information  culled  from  various  sources,  clearly  shows  that  groupthink  was  present  as  a 
cultural  problem  with  NASA  at  that  time. 

First,  what  antecedent  conditions  required  for  groupthink  to  take  hold 
were  present  at  the  time  of  the  Challenger  tragedy?  A  review  of  personnel  background 
as  well  as  the  events  that  transpired,  just  prior  to  the  Challenger  Flight  Readiness 
Reviews,  shows  that  the  NASA  personnel  like  Lawrence  Mulloy,  Bob  Marshall,  and 
William  Lucas,  who  were  key  players  in  the  genesis  of  the  Shuttle  program  and  were 
involved  in  the  Challenger  incident,  were  very  familiar  with  each  other,  had  come  up 
through  the  ranks  of  the  space  program,  and  had  worked  together  on  the  Shuttle  program 
for  many,  many  years119.  This  in  turn  created  an  exceptionally  high  degree  of  esprit  de 
corps;  a  cohesive  group  existed. 

A  second  precursor  for  groupthink  that  was  clearly  present  within  the 
NASA  hierarchy  during  the  time  of  Challenger  was  the  clear  existence  of  a  leadership 
preference  for  a  launch  despite  the  O-ring  erosion  and  low  ambient  temperature  concerns. 
As  described  previously  in  this  paper,  NASA  personnel  at  Marshall  Space  Flight  Center 
as  well  as  the  Kennedy  Space  Center  severely  and  at  times  acerbically  pushed  back 
against  Thiokol’s  recommendation  that  the  Challenger  launch  not  be  conducted  at 
temperatures  below  fifty-three  degrees  F.  This  leadership  preference  for  the  launch 

1 19  A.  J.  Dunar,  and  S.  P.  Waring,  Power  to  Explore:  History’  of  the  Marshall  Space  Flight  Center 
1960-1990,  p.  294-370,  Government  Printing  Office,  Washington,  D.C.,  1999. 
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decision  can  also  be  seen  in  the  nonnalization  of  deviance,  discussed  in  detail  by 
Vaughan,  as  well  as  NASA  requiring  Thiokol  to  prove  the  negative  -  it  wasn’t  safe  to 
launch  Challenger.  Finally,  several  key  statements  and  behaviors  of  senior  NASA 
personnel  during  the  now  infamous  phone  conference  of  27  January  1986,  as  documented 
in  notes  and  testimony  to  the  Rogers  Commission,  reveal  this  very  strong  leadership 
preference: 

•  George  B.  Hardy,  Marshall’s  Deputy  Director  for  Science  and  Engineering,  stated 
that  he  was  “appalled”120  by  Thiokol’s  reasoning  for  not  recommending  launch 
below  fifty-three  degrees  F,  which  had  been  the  lowest  previous  launch 
temperature  during  STS  51-C  in  January  1985. 121 

•  Lawrence  Mulloy,  the  SRB  Project  Manager  at  Marshall,  challenged  Thiokol’s 
recommendation  on  the  basis  that  there  was  no  Launch  Commit  Criteria  for  SRB 
joint  temperature.  He  further  went  on  to  assert  that  the  eve  of  the  launch  was  a 
bad  time  to  invent  a  new  LCC,  and  capped  off  this  pro-launch  opinion  by  stating, 
“My  God,  Thiokol,  when  do  you  want  me  to  launch,  next  April  [in  reference  to 
the  fifty-three  degree  F  temperature  launch  criteria  recommended  by 
Thiokol]?”122 

•  Hardy  and  Mulloy,  as  the  senior  engineer  and  SRB  project  manager,  respectively, 
combined  to  condemn  Thiokol’s  evidence  and  rationale,  forcing  Thiokol  to  go 
“off-line”  and  reconsider  their  objections  to  the  cold-weather  launch  of  STS  5 1-L. 

One  final,  readily  apparent  antecedent  for  groupthink  to  take  root  is  the 
phenomenon  of  the  group  being  insulated  from  experts.  In  the  case  of  the  Challenger 
accident,  Thiokol  engineering  staff  provided  testimony  to  the  Rogers  Commission  which 
clearly  shows  management  personnel  insulating  themselves  from  the  deck-plate 
engineering  community,  which  had  considerable  concern  over  the  O-ring  erosion  issue  in 
conjunction  with  the  coldest  attempted  Shuttle  launch.  Roger  Boisjoly,  Thiokol’s  O-ring 
expert,  testified  before  the  Rogers  Commission  that: 


120  Dunar  and  Waring,  p.  372. 

121  Dunar  and  Waring,  p.  371. 

122  Dunar  and  Waring,  p.  372. 


64 


...and  the  bottom  line  was  that  the  engineering  people  would  not 
recommend  a  launch  below  fifty-three  degrees  F...From  this  point  on, 
management  formulated  the  points  to  base  their  decision  on.  There  was 
never  one  comment  in  favor,  as  I  have  said,  of  launching  by  any  engineer 
[Thiokol]  or  other  no-management  person.... I  was  not  even  asked  to 
participate  in  giving  any  input  to  the  final  decision  charts725 

Thus,  it  can  be  clearly  shown  that  the  three  required  preconditions  for 
groupthink  to  develop  were  present  in  NASA  at  the  time  of  Challenger. 

An  assessment  of  the  symptoms  of  groupthink  present  at  this  time  shows 
that  many  are  easily  uncovered.  One  needs  to  remember,  however,  that  not  all  eight 
symptoms  of  groupthink  need  be  found  within  an  in-group  to  yield  the  poor  decision¬ 
making  that  is  an  unfortunate  outcome  of  groupthink.  An  illusion  of  invulnerability  is 
clearly  evident.  First,  although  astronauts  Grissom,  White,  and  Chafee  perished  in  the 
Apollo  I  launch  pad  fire,  NASA  had  never  suffered  an  in-flight  fatality.  Since  Apollo  I, 
NASA  had  fifty-five  straight  successful  missions124  in  which  they  had  sent  men  to  the 
moon,  docked  with  Soviet  Soyuz  craft,  built  and  deploy  Spacelab,  and  fielded  the  Space 
Shuttle  as  a  regular  delivery  “space  truck.”  The  American  public  and  NASA  themselves 
seemingly  came  to  believe  they  there  were  infallible.  This  implicit  air  of  invincibility  can 
be  seen  in  the  comment  of  George  Hardy,  who  stated  that  the  O-ring  erosion  risk  was 
“true  of  every  other  flight  we  had.”125  According  to  Janis,  this  sort  of  statement  by  a 
member  of  the  in-group  displays  a  mind-set  of  “everything  is  going  to  work  out  all  right 
because  we  are  a  special  group.”126  Finally,  Nobel  Laureate,  Richard  Feynman,  a 
member  of  the  Rogers  Commission,  believed  that  the  Commission’s  investigations  and 
interviews  revealed  that  NASA’s  exceptional  track  record  of  successful  space  flights 
created  overconfidence.127  This  leads  to  more  and  more  risk  assumption  and  deviation 
nonnalization,  as  described  by  Vaughan. 


122  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  91. 

124  Moorhead  et  ah,  p.  542. 

125  E. Griffin,  A  First  Look  At  Communication  Theory’  (3rd  ed.),  p.  234. 

126  I.  L.  Janis,  Crucial  Decisions:  Leadership  in  Policymaking  and  Crisis  Management,  p.  279,  Free 
Press,  New  York,  1989. 

127  E.  Magnuson,  “Fixing  NASA,”  Time,  9  June  1986,  p.  67. 
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NASA  exhibited  the  second  Type  I  symptom  of  groupthink,  which  is  the 
group’s  unquestioned  belief  in  its  inherent  morality.  NASA  management  displayed  this 
indicator  of  groupthink  though  their  shift  of  the  “old”  NASA  morality  of  having  to  prove 
a  system  was  safe  to  fly,  to  having  to  prove  the  opposite.  In  the  case  of  Brian  Russell, 
ThiokoTs  Director  of  Systems  Engineering  at  the  time  of  STS  51-L,  there  was  direct 
feeling  that  moral  rules  had  been  shifted  by  NASA.  During  testimony  before  the  Rogers 
Commission,  Mr.  Russell,  who  was  present  at  the  27  January  NASA  -  Thiokol  phone 
conference,  stated,  “I  had  the  feeling  that  we  were  -  that  it  was  a  distinct  feeling  that  we 
were  in  the  position  of  having  to  prove  that  it  was  unsafe  instead  of  the  other  way  around, 
which  was  a  totally  new  experience.”128  Mr.  Russell’s  stance  on  this  fundamental  shift  is 
reinforced  by  that  of  Mr.  Allen  McDonald,  ThiokoTs  SRM  Project  Manager  at  the  time 
of  Challenger,  who  testified  before  the  Rogers  Commission  as  follows: 

Well,  I  have  been  in  many  flight  readiness  reviews,  probably  as  many  as 
anyone,  in  the  past  year  and  a  half  get  up  and  stand  before,  I  think,  a  very 
critical  audience  at  Marshall,  and  a  very  good  one,  justifying  why  our 
hardware  was  ready  to  fly.  I  have  to  get  up  and  explain  every  major  defect 
and  why  we  can  fly  with  that  defect....  And  I  have  been  hassled  about 
how  I'm  sure  that  that  is  okay  to  fly  with....  And  it  has  been  that  way 
through  all  of  the  reviews  I've  ever  had,  and  that  is  the  way  it  should  be. 

And  it  is  not  pleasant,  but  that  is  the  way  it  should  be.  And  I  was 
surprised  here  at  this  particular  meeting  that  the  tone  of  the  meeting  was 
just  the  opposite  of  that.  I  didn’t  have  to  prove  that  I  was  ready  to  fly. .  ,129 

This  testimony  before  the  Rogers  Commission,  as  well  as  that  of  Boisjoly 
and  Lund  previously  discussed  in  the  section  regarding  the  cultural  defect  of  “proving  a 
negative”  shows  that  affliction  of  groupthink  yields  other  corresponding  cultural 
dysfunctions  besides  normalization  of  deviance  already  tied  by  the  authors  of  this  paper 
to  groupthink.  The  seemingly  abrupt  change  in  flight  commitment  criteria  is  due  to  the 
pressure  to  meet  the  launch  schedule  and  near-term  launch  window,  which  was  in  turn 
driven  by  NASA’s  need  to  meet  unrealistic  flight  rates. 

The  first  Type  II  symptom  of  groupthink  discussed  above  was  a  group’s 
propensity  to  stereotype  outsiders  with  competing  or  contrary  opinions.  The  record 

128  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  Vol.  4,  p.  823. 
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reveals  little  evidence  of  direct  NASA  denigration  of  outsiders  in  the  Challenger  case. 
However,  the  general  caustic  and  adversarial  tone  of  NASA  interaction  with  Thiokol 
personnel  is  evident  during  the  phone  conference  of  27  January  1986.  This  stereotyping 
is  most  clearly  revealed  in  the  previously  quoted  words  of  Lawrence  Mulloy,  which  are 
worth  repeating,  “My  God,  Thiokol,  when  do  you  want  me  to  launch,  next  April?”130 
There  was  a  clear,  confrontational  tone  to  NASA  retort  to  ThiokoTs  initial 
recommendation  to  not  launch  in  temperatures  below  fifty-three  degrees  F,  and  even  this 
threshold  temperature  is  suspect  due  to  the  small  sample  set  of  data  in  existence  at  that 
time. 

The  fourth  symptom  of  group  think  described  by  Janis  is  that  of  collective 
rationalization.  This  rationalization  leads  the  group  to  dismiss  warnings  which  would 
otherwise  drive  them  to  review  data  or  to  reconsider  their  assumptions  before  resuming 
their  chosen  course  of  action.  In  the  case  of  the  Challenger  catastrophe,  the  Level  1 
Flight  Readiness  Review  displayed  NASA’s  rationalization  of  the  O-ring  erosion  risk. 

As  shown  previously  in  this  paper,  NASA  officials  discounted  the  Thiokol 
engineers’  concerns  to  a  great  extent,  based  on  their  rationalization  that  the  engineering 
data  on  which  Thiokol  was  basing  their  “no  launch”  recommendation  was  inconclusive. 
Furthermore,  NASA  officials  collectively  believed  that  the  secondary  O-ring  would  seal 
in  worst-case  conditions,  which  is  a  clear  rationalization  that  attempts  to  overcome  the 
fact  that  SRB  joint  seal  is  a  failure  mechanism  without  backup. 

As  stated  in  his  testimony  before  the  Rogers  Commission,  George  Hardy 
reasoned,  incorrectly  in  hindsight,  that  the  secondary  O-ring  would  be  properly  seated  at 
the  time  of  primary  O-ring  blow-by  during  launch.131  This  can  be  construed  as  a 
rationalization  due  to  the  fact  that  Space  Shuttle  system  would  sit  on  the  launch  pad  for 
up  to  twenty-eight  days,  with  various  stress  transients  (e.g.,  transportation  vibration, 
thennal  effects,  wind  loading  of  the  booster  shell,  pressure  changes,  etc.)  acting  on  the  O- 
ring  seals,  with  no  subsequent  pressure  check  prior  to  launch.132  Finally,  Mr.  Hardy 

testified  that  during  the  NASA  -  Thiokol  phone  conference,  “No  one  in  the  meeting 

130  Dunar  and  Waring,  p.  372. 

131  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1610. 

132  Presidential  Commission  on  the  Space  Shuttle  Challenger  Accident,  p.  1616. 
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questioned  the  fact  that  secondary  seal  was  capable  and  in  the  position  to  seal  during  the 
early  part  of  the  ignition  transient  prior  to  any  significant  joint  rotation.”133  In  this  way 
the  past  performance  of  the  secondary  O-ring  seal  during  primary  erosion  incidents 
perpetuated  the  illusion  that  the  system  was  working  properly  and  safely.  Thus  the  group 
had  collectively  brought  themselves  to  believe  that  the  SRB  joint  O-rings  would  hold, 
despite  a  body  of  data  that  seriously  raised  doubts  about  this  conclusion.  That  a  group  of 
senior,  experienced  NASA  engineers  and  managers  would  come  to  this  conclusion  in 
light  of  the  fact  that  the  primary  O-ring  was  consistently  being  compromised  during 
launch,  is  unmistakable  proof  of  collective  rationalization  denoting  the  presence  of 
groupthink. 


One  of  the  symptoms  attributed  to  groupthink  that  was  most  clearly 
evident  during  the  Challenger  disaster  was  that  of  self-censorship  of  deviations,  the  first 
of  the  Type  III  indicators  described  by  Janis.  An  examination  of  Thiokol  and  NASA  and 
personnel  behavior  during  this  time  is  rife  with  examples  of  self-censorship.  A  review  of 
the  Rogers  Commission  testimony  and  the  history  of  the  Marshall  Space  Flight  Center 
reveal  several  telling  statements.  During  the  off-line  Thiokol-only  caucus,  held  after  the 
initial  phone  conference,  where  Thiokol  recommended  not  launching  below  fifty-three 
degrees  F,  Thiokol  engineers  ended  up  censoring  themselves.  This  self-censorship  arose 
when  faced  with  Thiokol  management’s  opposition  to  their  standpoint.  Roger  Boisjoly, 
Thiokol’s  O-ring  expert  and  member  of  their  Seal  Task  Force,  stated  in  testimony  before 
the  Rogers  Commission  that: 

Okay,  the  caucus  started  by  Mr.  Mason  stating  a  management  decision 
was  necessary.  Those  of  us  [Boisjoly  and  Arnold  Thompson]  who 
opposed  the  launch  continued  to  speak  out... we  were  attempting  to  go 
back  and  re-review...  and  we  couldn’t  understand  why  it  [the 
recommendation  to  not  launch  below  fifty-three  degrees  F]  was  going  to 
be  reversed.... So  we  spoke  out  and  tried  to  explain  once  again  the  effects 
of  low  temperature.  Amie  actually  got  up. .  .walked  up  to  the  table  and  put 
a  quarter-pad  down... and  tried  to  sketch  out  once  again  what  his  concern 
was  with  the  joint,  and  when  he  realized  he  wasn’t  getting  through,  he  just 
stopped  [emphasis  added]. 134 
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Mr.  Boisjoly  went  on  to  relate  his  own  self-censorship  after  trying  in  vain 
to  persuade  Thiokol  management  to  uphold  the  “no  launch”  recommendation: 

I  tried  one  more  time  with  the  photos.  I  grabbed  the  photos,  and  I  went  up 
and  discussed  the  photos  once  again  and  tried  to  make  the  point  that  it  was 
my  opinion  from  actual  observations  that  temperature  was  indeed  a 
discriminator  and  we  should  not  ignore  the  physical  evidence  we  had 
observed.... I  also  stopped  when  it  was  apparent  that  I  couldn’t  get 
anybody  to  listen.135 

Thus,  when  Stanley  Reinartz,  manager  of  the  Shuttle  Projects  Office  at 
MSFC,  asked  if  anyone  participating  in  the  reconvened  phone  conference  disagreed  with 
the  reversed  Thiokol  decision  to  launch,  there  was  no  dissent.136 

The  occurrence  of  self-censorship  was  not  confined  to  Morton-Thiokol 
personnel;  NASA  staff  also  presented  this  symptom  of  groupthink.  NASA  engineers 
Ben  Powers  and  Keith  Coates  both  raised  concerns  with  a  cold-weather  launch  of  STS 
5 1-L.  Mr.  Coats,  one  of  the  former  SRM  chief  engineers  voiced  his  unease  with  the  cold. 
He  stated  that  he  didn’t  “lay  down  on  the  tracks,”  because  he  did  not  have  the  authority  or 
responsibility  to  act.137  Mr.  Powers,  in  his  role  as  an  SRB  engineer  told  his  chain  of 
command  that  “I  support  the  contractor  one  hundred  percent  on  this  thing.  I  don’t  think 
we  should  launch.  It’s  too  cold.”138  However,  when  one  of  Mr.  Powers  superior  implied 
that  Powers  could  have  spoken  up  for  himself,  Power  replied  that  “you  don’t  override 
your  chain  of  command.”139  History  shows  none  of  these  concerns  from  NASA  own 
engineers  made  into  the  NASA  -  Thiokol  discussions  that  resulted  in  the  decision  to 
launch  Challenger .  Thus,  both  NASA  and  Thiokol  members  of  the  Shuttle  team  clearly 
exhibited  self-censorship. 

The  second  Type  III  indicator  of  groupthink,  the  pressure  of  the  group  on 
any  dissenters  to  conform,  was  also  clearly  present  within  the  NASA  -  Thiokol  group 
responsible  for  the  Challenger  launch  decision.  The  cajoling,  bordering  on  outright 
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intimidation,  of  Thiokol  personnel  by  NASA  management  was  previously  brought  up  in 
this  paper  during  the  discussion  of  precursor  conditions  to  the  entrenchment  of 
groupthink.  In  that  discussion  of  leadership  preference  for  a  “go”  launch  decision,  one 
only  needs  to  return  to  the  statement  by  NASA’s  George  Hardy  that  he  was  appalled  by 
Thiokol’s  reasoning  for  initially  not  recommending  launch,  or  to  the  words  of  NASA’s 
Lawrence  Mulloy,  who  castigated  Thiokol  over  their  “no-go”  recommendation,  asking 
Thiokol  if  they  wanted  NASA  to  wait  until  April  to  launch  STS  51-L,  and  finally  to  the 
combined  pressure  of  Hardy  and  Mulloy  during  the  infamous  teleconference,  that  pushed 
Thiokol  to  caucus  offline.  The  result  of  which,  has  been  discussed  many  times  above  - 
was  the  reversal  of  Thiokol’s  “no  go”  launch  recommendation. 

There  are  other  examples  of  the  internal  group  pressure  to  conform,  such 
as  during  the  Thiokol  off-line  caucus.  During  that  discussion,  which  has  already  been 
described  during  the  exploration  of  other  evidence  of  groupthink,  Jerald  E.  Mason,  vice 
president  of  Thiokol’s  Wasatch  organization,  pressured  Robert  Lund,  the  vice  president 
of  engineering  to  “take  off  your  engineering  hat  and  put  on  your  management  hat.”140 
Mr.  Lund  surrendered  his  support  for  his  engineers,  and  when  the  NASA  -  Thiokol 
teleconference  resumed,  Joe  Kilminster,  the  Thiokol-Wasatch  vice  president  for  Space 
Booster  Programs  informed  NASA  that  Thiokol  has  reversed  direction  and  were  now 
recommending  launch.141  The  idea  that  the  internal  management  discussion  at  Thiokol 
during  this  caucus  was  a  form  of  pressure  on  dissenters  was  recognized  and  voiced  by 
Chairman  Rogers  himself,  when  during  Mr.  Mason’s  testimony  before  the  Commission, 
he  asked,  “Mr.  Mason,  when  you  spoke  to  Mr.  Lund  and  told  him  in  effect  to  take  off  his 
engineering  hat  and  put  on  his  management  hat,  wasn’t  that  pressure  on  your  part  to  a 
subordinate  that  he  should  change  his  mind.”142  Thus,  pressure  by  the  group  on 
dissenters  within  was  clearly  evident  at  this  time. 

The  evidence  for  a  shared  illusion  on  unanimity,  which  is  another  of  the 
Type  III  indicators  of  groupthink,  is  very  simple,  clear,  and  straightforward  in  the  case  of 
the  NASA  -  Thiokol  interactions.  As  presented  above,  Thompson’s  and  Boisjoly’s 
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testimony  before  the  Rogers  Commission  revealed  that  they  were  deeply  opposed  to 
reversing  the  “no  go”  launch  recommendation  from  Thiokol.  However,  as  stated 
previously,  they  were  not  consulted  during  the  final  management  decision  making 
process.  Consequently,  when  Thiokol  reconvened  with  NASA,  the  NASA  personnel  on 
the  other  end  of  the  line  were  presented  with  a  Thiokol  position  reversal  that  appeared 
unanimous.  Furthermore,  as  the  recommendation  to  launch  proceeded  up  NASA’s  chain 
of  command  to  the  Level  II  and  Level  I  Flight  Readiness  Reviews,  any  information  or 
notification  regarding  neither  Thiokol’s  concerns  over  temperature  effects  on  joint 
integrity,  nor  the  extensive  teleconferences  that  dealt  with  the  issue,  were  transmitted  up 
the  line.143  This  gave  the  ultimate  NASA  decision-makers  the  false  impression  that 
unanimity  on  the  launch  decision  existed. 

The  final  groupthink  symptom  described  by  Janis  is  that  of  self-appointed 
mindguards.  While  this  particular  indicator  is  the  least  evident  within  the  Challenger 
investigation,  it  does  appear.  First,  as  quoted  previously  in  the  discussion  above,  Roger 
Boisjoly,  who  was  acknowledge  by  all  as  an  O-ring  expert,  was  not  even  asked  by  his 
management  to  participate  in  the  final  Thiokol  decision-making  process  during  their 
offline  caucus.  Thiokol  Management  isolated  the  troublesome  objections  of  Mr.  Boisjoly 
as  well  as  those  of  Mr.  Thompson  during  that  final  internal  meeting.  A  look  into  the 
NASA  hierarchy  also  shows  that  the  NASA  managers  at  the  Level  III  FRR,  whether 
intentionally  or  not,  acted  to  shield  those  higher  up  in  the  decision-making  process  from 
Thiokol’s  initial  objections  to  the  launch  of  STS  5 1-L.  In  fact,  when  polled  by  Chairman 
Rogers  during  their  testimony  senior  leadership  at  all  NASA  Centers  were  not  aware  of 
Thiokol’s  launch  objections.  This  included  Jesse  Moore,  Associate  NASA  Administrator 
for  Flight  and  Director  of  the  Johnson  Space  Center  (JSC);  Arnold  Aldrich,  NASA’s 
manager  of  Space  Transportation  Systems  Programs  at  JSC;  Dr.  William  Lucas,  the 
Director  of  MSFC;  and  finally  Mr.  Richard  Smith,  Director  of  the  Kennedy  Space 
Center.144 

A  review  of  the  evidence  and  symptomatic  expression  of  groupthink 
provided  above  clearly  indicates  that  groupthink  had  taken  firm  hold  of  those  involved  in 
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the  Challenger  launch  decision,  regardless  of  their  organization  or  their  location.  As  a 
result  of  groupthink,  defective  decision-making  ran  its  course,  with  the  destruction  of 
Challenger,  the  loss  of  seven  lives,  and  a  serious  loss  of  the  nation’s  confidence  in 
NASA.  Finally,  in  the  case  of  Challenger,  Diane  Vaughan’s  assertion  the  normalization 
of  risk  played  a  major  part  in  the  accident  can  be  shown  to  be  a  complementary 
mechanism  to  groupthink.  The  compounded  effects  of  these  two  theories  left  little 
chance  of  a  successful  outcome  for  STS  51-L.  In  fact,  the  words  of  Lawrence  Mulloy 
reinforce  this  suggestion  when  he  stated, 

We  at  NASA  got  into  a  groupthink  about  this  problem  [O-ring  erosion]. 

We  saw  it,  we  recognized  it,  we  tested  it,  and  we  concluded  it  was  an 
acceptable  risk. . .  .When  we  started  down  that  road,  we  were  on  the  road  to 
an  accident.745 

Finally,  the  grim  words  of  Ben  Powers,  a  MSFC  propulsion  engineer  hit 
home.  Mr.  Powers,  based  at  MSFC,  told  another  engineer  the  morning  of  the  Challenger 
launch  that  “these  guys  don’t  have  more  than  a  fifty-fifty  chance.”146 

d.  Groupthink  and  Columbia 

One  would  believe,  after  examining  the  clear  and  widespread  indications 
of  groupthink  present  within  NASA  at  the  time  of  the  Challenger  disaster,  that  there 
could  be  no  way  such  a  scenario  could  occur  again.  Unfortunately,  an  examination  of 
information  provided  previously  in  this  paper,  combined  with  the  results  of  the  Columbia 
Accident  Investigation  Board  and  third-party  sources  reveal  just  that  -  groupthink  once 
again  became  a  major  factor  in  the  loss  of  a  Space  Shuttle  and  seven  astronauts.  Clearly, 
due  to  the  more  recent  date  of  the  Columbia  accident,  the  body  of  study  and  discourse  on 
Columbia  incident  is  not  of  same  depth  or  breadth  as  that  concerning  Challenger. 
Nonetheless,  there  is  sufficient  infonnation  for  discussion  and  to  draw  conclusions  on  the 
presence  and  role  of  groupthink  in  the  Columbia  tragedy. 

As  with  the  discussion  of  the  Challenger,  a  review  of  what,  if  any, 
antecedent  conditions  to  groupthink  were  present  with  NASA  at  the  time  of  Columbia. 
First,  is  there  evidence  of  a  highly  cohesive  “in-group?”  Linda  Ham,  the  STS- 107 
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Mission  Management  Team  Chair,  stated  in  a  press  conference,  “Obviously  no  one  wants 
to  hurt  the  crew.  These  people  are  our  friends.  They’re  our  neighbors.  We  run  with 
them,  work  out  in  the  gym  with  them.  My  husband  is  an  astronaut.  I  don’t  believe 
anyone  is  at  fault  for  this.”147  Linda  Ham’s  words  support  the  assertion  that  a  cohesive 
group  culture  existed. 

The  second  precursor  to  groupthink  taking  hold  is  the  exhibition  of  a  clear 
preference  by  the  group’s  leadership.  In  the  case  of  Linda  Ham,  a  review  of  her  words 
and  actions  show  that  she  plainly  preferred  a  finding  that  the  foam  impact  on  the  leading 
edge  of  the  wing  would  not  result  in  serious  damage  to  Columbia,  and  certainly  not  to  the 
loss  of  the  shuttle  and  its  crew.  At  the  Program  Requirements  Control  Board  (PRCB) 
meeting  after  STS- 112,  Ms.  Ham,  as  a  member  of  the  PRCB,  supported  by  Ron 
Dittemore,  decided  against  classifying  the  loss  of  bipod  foam  as  an  In-Flight  anomaly.148 
The  CAIB  was  clearly  perplexed  by  this,  and  speculated  the  reasons  for  NASA  treating 
the  STS-1 12  foam  loss  differently  than  previous  occurrences.  The  answer  appears  to  be  a 
strong  leadership  preference  for  a  decision  that  would  allow  NASA  to  meet  the  ISS  Node 
2  launch  schedule,  which  was  a  significant,  if  not  the  preeminent,  NASA  management 
goal.  Furthermore,  Ms.  Ham  herself  called  the  rationale  for  the  foam  strike  during  STS- 
1 12  being  classified  “not  a  safety-of-flight”  as  “lousy.”  In  fact  in  her  email  of  21  January 
2003  to  Ron  Dittemore  she  stated,  “...rationale  for  flight  for  the  STS-1 12  loss  of  foam 
was  lousy... Rationale  was  lousy  then  and  still  is.”149  How  could  this  acknowledgement 
of  deficient  rationale  not  trigger  more  urgency  in  gathering  imagery  of  Columbia's  left 
wing?  The  evidence  clearly  points  towards  a  leadership  preference  in  outcome.  Also 
supporting  this  obvious  preference  is  the  fact  that  when  told  that  foam  strike  damage  was 
a  maintenance  issue  only,  NASA  management  locked  onto  to  this  interpretation  and 
sought  no  other  opinions.150  The  CAIB  report  went  as  far  as  to  state,  “Tapes  of  STS-107 
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Mission  Management  Team  sessions  reveal  a  noticeable  ‘rush’  by  the  meeting’s  leaders 
to  the  preconceived  bottom  line  that  was  ‘no  safety-of-flight’  issue.”151 

The  last  piece  of  evidence  offered  for  the  existence  of  a  clear  group 
preference  for  a  specific  outcome  comes  from  the  discussion  in  Section  D.3  of  this  work. 
As  stated  in  that  section,  the  shuttle  management  team  clearly  had  a  preference  for  a 
launch  schedule  unimpeded  by  investigations  into  foam  shedding.  They  ordered  an 
investigation  into  the  rationale  used  for  flight  authorization  after  STS-87  and  STS- 112. 
The  inference  is  clear;  Linda  Ham,  Ron  Dittemore,  and  others  were  exhibiting  a  clear 
preference  for  the  foam-shedding  problem  to  be  deemed  inconsequential  to  flight 
operations.  This  is  a  clear  indication  of  a  groupthink  precursor,  and  the  rationale  and 
methodology  used  by  NASA  management  to  arrive  at  their  conclusions  are  clearly 
indicative  of  the  normalization  of  risk  as  well. 

The  final  precursor  to  groupthink,  as  given  by  Janis,  is  the  isolation  of  the 
group  from  competent  outside  opinion.  There  is  evidence  that  this  precursor  existed  as 
well.  Rodney  Rocha,  the  chief  engineer  for  the  Thermal  Protection  System  (TPS),  was 
adamant  that  not  requesting  outside  help  for  imaging  of  Columbia  was  incorrect.  Mr. 
Rocha,  wrote  an  email,  printed  it,  and  shared  the  paper  copy  with  colleagues;  ultimately 
he  did  not  send  the  message.  In  his  draft  email,  Mr.  Rocha  stated,  “In  my  humble 
technical  opinion,  this  is  the  wrong  (and  bordering  on  irresponsible)  answer  from  the  SSP 
[Space  Shuttle  Program]  and  Orbiter  not  to  request  additional  imaging  help  from  any 
outside  source.”152  The  discussion  presented  previously  with  this  paper  serves  to 
reinforce  this  isolative  approach  to  the  situation  by  NASA.  The  CAIB  probably  summed 
it  up  best  when  offering,  “Perhaps  most  striking  is  the  fact  that  management... displayed 
no  interest  in  understanding  a  problem  and  its  implications.  Because  managers  failed  to 
avail  themselves  of  a  wide  range  of  expertise  and  opinion  necessary  to  achieve  the  best 
answer  to  the  debris  strike  question. .  ,”153 

This  isolationist  approach  by  NASA  is  further  reinforced  by  none  other 

than  Dr.  Diane  Vaughan,  whose  work  is  a  foundational  component  of  this  paper,  and  who 
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has  been  discussed  extensively,  above.  In  her  testimony  before  the  CAIB,  Dr.  Vaughan, 
when  asked  by  the  Board  if  she  had  ever  been  invited  to  talk  to  NASA  about  her  work  in 
risk  acceptance  and  deviation  normalization,  stated 

No... I  heard  from  many  organizations  that  were  concerned  with  reducing 
risk  and  reducing  error  and  mistake.  The  U.S.  Forest  Service  called,  and  I 
spoke  to  hotshots  and  smoke-jumpers.  I  went  to  a  conference  the 
physicians  held,  looking  at  errors  in  hospitals.  I  was  called  by  people 
working  in  nuclear  regulatory  operations... Everyone  called.  My  high 
school  boyfriend  called.  But  NASA  never  called.75^ 

Thus,  as  with  the  case  of  the  Challenger  accident  seventeen  years  before, 
all  three  antecedents  to  the  establishment  of  groupthink  within  a  body  were  present.  The 
symptoms  of  groupthink  will  be  addressed  in  the  same  order  as  considered  in  the 
previous  discussion  of  groupthink  and  Challenger. 

As  with  Challenger,  one  needs  to  ask  if  there  was  an  illusion  of 
invulnerability  apparent  within  the  NASA  hierarchy  at  the  time  of  the  Columbia  accident. 
A  review  of  discussions  and  testimony  from  the  CAIB  proceedings  strongly  indicated  the 
existence  of  an  illusion  of  invulnerability.  During  media  interviews  in  the  weeks  leading 
up  to  the  release  of  the  CAIB’s  report,  an  unnamed  person  associated  with  the  CAIB 
(assumed  to  be  a  CAIB  member,  based  on  Admiral  Gehman’s  echoing  of  this  person’s 
words  during  a  subsequent  press  conference)  was  quoted  as  saying,  “It’s  just  a  mindset 
they  [NASA]  go  into,  that  this  was  an  operational  vehicle,  on  an  operational  mission,  and 
you  don’t  have  to  worry  about  it.”155  These  comments  not  only  indicate  a  sense  of 
invulnerability  inherent  in  the  NASA  perception  of  a  shuttle  mission  as  a  routine,  almost 
pedestrian  event;  they  echo  the  discussion  previously  regarding  the  historical  context  of 
the  Challenger  accident  in  that  NASA  treated  the  shuttle  fleet  as  “Space  Trucks.”  As 
stated  earlier  in  section  III  of  this  study,  NASA  initially  touted  the  Space  Shuttle  as  self- 
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supporting  and  cost-effective,  with  turnaround  times  as  brief  as  two  weeks,  and 
operations  so  “normal”  as  to  invite  commercial  airline  companies  to  offer  proposals  on 
the  shuttle  operations  contract.156 

This  sense  of  invulnerability  also  directly  feeds  and  complements 
Vaughan’s  normalization  of  risk  construct  as  an  underlying  cultural  contributing  cause  of 
both  shuttle  losses.  The  impression  of  invulnerability  is  also  revealed  in  the  fact  that 
despite  requirements  to  do  so,  the  Mission  Management  Team  skipped  daily  meetings 
during  the  Martin  Luther  King  Jr.  holiday  weekend.  This  lackadaisical  approach  to  the 
Columbia  mission,  even  after  the  discussion  started  on  the  foam-strike  issue,  is  telling. 
This  contrasts  with  the  fact  that  Boeing  and  United  Space  Alliance  engineers  worked 
throughout  the  long  weekend  on  the  debris  impact  assessment,  despite  no  direction  from 
NASA  to  do  so.157 

The  second  groupthink  symptom  addressed  for  Columbia  was  the 
existence  of  a  group’s  unquestioned  belief  in  their  inherent  morality.  There  is  a  single 
and  glaring  missive  from  William  Readdy,  astronaut  and  former  associate  NASA 
administrator  for  the  Office  of  Space  Flight.  Mr.  Readdy  was  the  leader  of  the  Return  To 
Flight  (RTF)  team  up  through  the  launch  of  STS  Discovery,  STS-1 14.  On  12  July  2003, 
within  a  month  of  the  CAIB’s  report,  Mr.  Readdy  authored  a  letter  to  the  RTF  team  in 
which  he  combines  the  expected  content  of  a  status  of  efforts  completed  by  the  RTF  team 
and  NASA;  an  appeal  for  inward  reflection  by  NASA’s  personnel;  a  call  to  maintain  a 
commitment  to  the  space  program,  the  nation,  the  memory  of  Columbia  and  her  crew, 
and  NASA;  and  an  attempt  to  build  NASA’s  morale  and  to  buttress  its  personnel  in  the 
face  of  the  daunting  challenges  associated  with  the  shuttle’s  return  to  flight.  However,  a 
significant  amount  of  the  letter  is  full  of  outright  indignation,  thinly  veiled  contempt,  and 
rhetoric  directed  towards  those  outside  of  NASA. 

A  complete  reading  of  this  letter  shows  unmistakably  that  with  his 
denigration  of  outsiders  and  the  overall  tone  and  the  writing’s  stylistic  approach  that  Bill 
Readdy  is  clearly  showing  NASA’s  belief  in  their  inherent  morality.  Mr.  Readdy  draws 

156  ADM  D.  Eaton  (Ret),  “Project  Plan  Submittal,”  email  to  authors,  10  February  2006. 

157  Columbia  Accident  Investigation  Board,  p.  142. 
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on  the  words  of  Theodore  Roosevelt,  Helen  Keller,  and  John  F.  Kennedy  in  an  attempt  to 
align  himself  and  by  association,  NASA,  with  these  icons  of  history,  which  the  nation 
holds  in  great  esteem  and  of  high  moral  standing.158  In  his  letter  to  NASA’s  RTF  team, 
Mr.  Readdy  stated 

Long  forgotten  will  be  the  many,  many  scores  of  safely  and  successfully 
accomplished  missions.  There  will  be  days  -  weeks  -  when  Congress  and 
the  media  will  mount  their  bully  pulpits  and  rail  righteously  at  how 
careless,  callous,  and  indifferent  all  of  us  [NASA]  must  have  been  to  allow 
Columbia  and  her  valiant  crew  to  be  lost  so  needlessly.  And  whatever  we 
could  say  in  our  own  defense,  no  matter  how  true,  will  fall  on  mostly  deaf 
ears.  We  cannot  let  fear  of  criticism  stop  us  from  doing  what  we  need  to 
do  or  allow  the  critics  to  cow  us  into  inaction.759 

The  above  quote  clearly  reveals  the  moral  high-ground  Mr.  Readdy  truly 
believes  his  organization  commands.  To  further  reinforce  the  belief  that  Mr.  Readdy’s 
words  are  further  indication  of  groupthink,  consider  the  following  from  the  same  letter 

Our  individual  and  collective  patience  has  been  sorely  tested.  It  will  be 
again  and  again.  Our  expertise,  professionalism,  commitment,  and  resolve 
will  be  questioned... We  will  be  called  upon  to  explain  things  again  and 
again  to  people  who  never  seem  to  understand  or  appreciate,  much  less 
applaud  our  successes  -  but  yet  are  capable  of  becoming  instant  experts 
when  it  comes  to  our  failures  and  assigning  blame.750 

In  addition  to  providing  evidence  of  NASA’s  belief  in  their  inherent 
morality,  the  above  quotations  serve  to  directly  support  of  the  next  groupthink  symptom, 
the  negative  stereotyping  of  those  outside  the  group. 

In  Mr.  Readdy’s  letter  to  the  RTF  team,  his  use  of  terms  such  as  “instant 
experts,”  and  “bully  pulpits,”  combined  with  the  overall  sarcastic  and  reproachful  tone  of 
the  letter  when  talking  about  “outsiders,”  plainly  show  the  sort  of  stereotyping  indicative 
of  groupthink  within  an  organization.  As  a  final  point,  with  respect  to  Mr.  Readdy’s 
letter  to  his  people,  James  Oberg,  who  spent  twenty-two  years  working  at  NASA’s 
Mission  Control  at  the  JSC,  had  the  following  indictment  of  NASA’s  behavior  in  this 
context 

158  p  Readdy,  “Letter  to  Return  to  Flight  Team  from  OSF  AA  Bill  Readdy,” 
[http://spaceref.com/news/viewsr.html?pid=9779],  Last  accessed  January  2006. 
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By  demonizing  all  non-NASA  critics,  and  by  suggesting  that  questioning 
the  judgment  of  NASA’s  leadership  is  an  insult  to  every  space  worker,  the 
memo  fully  exposes  the  arrogant  groupthink  [emphasis  added]  that 
festers  in  NASA’s  soul. 161 

A  final  example  of  stereotyping  and  opposition  to  outsiders  was  related  by 
Dr.  Diane  Vaughan.  According  to  Dr.  Vaughan,  the  first  time  she  was  contacted  by 
NASA  officials  was  in  April  2003.  Dr.  Vaughan  imagined  the  caller  was  interested  in  her 
views  on  any  possible  similarities  between  the  Challenger  and  Columbia  accidents.  But 
this  was  not  the  case.  Dr.  Vaughan  ended  up  getting  a  “two-hour  soliloquy”  from 
Michael  Greenfield,  the  then  and  current  Associate  Deputy  Administrator  for  Technical 
Programs  at  NASA.  ”  During  this  conversation,  the  tone  and  content  of  which  was  later 
confirmed  by  Mr.  Greenfield,  he  told  Dr.  Vaughan  that  her  assessment  of  NASA  was 
wrong,  and  that  there  were  no  parallels  between  the  Challenger  and  Columbia  tragedies. 
He  also  told  Dr.  Vaughan  that  NASA  had  corrected  their  organizational  problems  after 
Challenger.163  Thus  the  stereotyping  of  outsiders  as  wrong,  stupid,  uninformed,  etcetera 
is  clearly  found  at  NASA. 

As  stated  previously,  within  the  construct  of  groupthink,  collective 
rationalization  enables  a  group  to  reject  warning  signs  that  would  push  them  to  reconsider 
their  given  course  of  action.  As  with  the  Challenger  accident,  this  groupthink  indicator 
existed  within  NASA  at  the  time  of  Columbia.  In  one  instance  of  rationalization,  NASA 
documentation  released  in  the  weeks  preceding  the  issue  of  the  CAIB  report  revealed  that 
STS  Atlantis  was  also  subject  to  a  penetration  of  a  wing  leading  edge  with  plasma  during 
the  shuttle’s  re-entry  at  the  end  of  mission  STS-101.164  Obviously  history  shows  that 
NASA  did  not  stop  the  shuttle  program  temporarily  to  correct  this  design  defect;  the 
shuttle  fleet  continued  to  fly  in  an  effort  to  meet  ISS  schedule  pressures.  In  discussing 


161  J.  Oberg,  “NASA  Requires  Overhaul  at  Top,”  [http://usatoday.com/news/opinion/editorials/2003- 
08-20-oberg_x.htm],  Last  accessed  November  2004. 

163  M.  Dunn,  “NASA  Finally  Looks  to  Sociologist,” 
[http://www.space.com/news/nasa_sociologist_030830.html],  Last  accessed  May  2004. 
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NASA’s  public  acknowledgement  of  a  pattern  of  foam  loss  and  even  wing  breeches, 
Mary  Ellen  Weber,  a  crewmember  of  STS- 101,  stated 

Absolutely,  people  knew  if  you  have  a  breech  in  the  wing,  bad  things  can 
happen.  That  isn’t  news.  Knowing  what  I  know  now  about  gas  entering 
the  shuttle’s  wing,  do  I  believe  the  mission  I  was  on  was  any  more  risky 
than  I  thought  it  was  when  I  took  off?  No... We  may  fix  this  particular 
problem,  but  I  guarantee  the  next  time  astronauts  get  on  that  shuttle  there 
will  be  a  thousand  other  things  that  can  happen.765 

While  Professor  Weber’s  statements  could  be  taken  as  a  simple 
recognition  of  the  hazards  of  space  flight,  there  is  a  clear  rationalization  of  the  risks 
present  in  her  words.  To  say  that  she  believes  in  light  of  the  Columbia's  loss  that  her 
flight  on  Atlantis,  which  suffered  a  similar  wing  failure  was  no  more  risky,  displays 
bravado  bordering  on  foolhardiness.  Weber’s  stance  is  contrasted  with  that  of  Paul 
Czysz,  a  professor  of  aerospace  engineering  and  NASA  consultant,  who  met  the 
disclosure  of  the  previous  wing  damage  during  STS- 101  with  puzzlement  as  to  why 
NASA  was  not  proactive  in  assessing  the  problem.  Professor  Czysz  told  reporters,  “That 
[the  Atlantis  Thennal  Protection  System  failure]  says  they  had  fair  warning  and  ignored 
it.  They  should  have  said  if  that  [the  Columbia  foam  impact]  opened  up  a  crack  any 
bigger  than  the  one  on  Atlantis,  we’re  in  deep  trouble.”166  The  record  shows  that  NASA 
did  not  address  the  wing  breech  issue  in  any  substantive  way  prior  to  STS- 107.  This 
collection  rationalization  of  the  risks  associated  with  debris-strike  can  also  be  seen  as  the 
nonnalization  of  deviation  theory.  As  discussed  in  the  contextual  sections  of  this  paper, 
Dr.  Vaughan’s  theory  makes  for  a  compelling  complement  to  groupthink  as  contributing 
factors  to  both  the  Challenger  and  Columbia  losses. 

Finally,  James  Oberg,  whose  previously  referenced  editorial  was  a 
scathing  indictment  of  NASA’s  management  culture,  also  believe  that  NASA  suffered 
from  this  sort  of  collective  rationalization.  In  his  discussion  of  the  post  -Columbia  loss 
foam  impact  testing,  which  clearly  reveal  the  extensive  damage  a  foam  strike  could  do  to 


165  M.L.  Wald  and  J.  Schwartz,  “Earlier  Shuttle  Flights  Suffered  from  Same  Columbia  Problems.” 
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the  orbiter’s  wing,  Mr.  Oberg  declared  “Yes  even  after  launch,  NASA  officials  continued 
to  make  convenient  and  false  assumptions  about  how  bad  the  damage  could  be.”167 

As  with  the  Challenger  analysis,  one  of  the  symptoms  of  groupthink  most 
clearly  evident  during  the  Columbia  event  was  that  of  self-censorship  on  part  of  group 
members.  The  official  testimony  and  other  sources  are  rife  with  examples  of  self¬ 
censorship  on  the  part  of  NASA.  The  CAIB  report  is  full  of  examples  of  self-censorship. 
As  described  in  this  paper’s  discussion  of  the  antecedents  to  the  establishment  of 
groupthink  with  regard  to  Columbia,  Rodney  Rocha,  the  TPS  chief  engineer  drafted  an 
email  where  he  called  the  decision  to  not  request  outside  imaging  help  “wrong”  and 
“bordering  on  irresponsible.”  Yet  ultimately  Rocha  did  not  send  the  email;  self¬ 
censorship  took  hold.  Mr.  Rocha  was  an  interviewee  during  an  American  Broadcasting 
Company  (ABC)  special  report  where  he  admitted  to  not  being  vocal  about  his  foam- 
strike  concerns  during  the  meeting  where  Linda  Ham  put  the  matter  to  rest.  Rocha  told 
his  interviewer  that  he  was  afraid  he  would  lose  his  job,  and  that  he  “just  couldn’t  do  it 
[speak  up].”168  The  CAIB  report  reinforces  Mr.  Rocha’s  statements.  The  Board’s 
investigators  were  told  by  Debris  Assessment  Team  members  that  they  believed  they 
would  be  singled  out  for  scorn  by  their  colleagues  and  management  if  they  had  been 
more  strident  about  their  unease  over  the  severity  of  the  foam-strike  on  Columbia .169 

Further  evidence  of  self-censorship  can  be  found  in  reviewing  the  actions 
and  inaction  of  Wayne  Hale,  who  was  the  Shuttle  Program  Manager  for  Launch 
Integration  at  KSC.  Mr.  Hale  was  the  first  person  approached  by  personnel  interested  in 
obtaining  imagery  for  a  debris-strike  evaluation  on  Columbia. 170  Mr.  Hale  pursued  the 
request  through  various  channels,  until  Linda  Ham  stopped  the  request  process  as  head  of 
the  MMT.171  Mr.  Hale,  who  took  over  as  Deputy  Manager  of  the  Space  Shuttle  Program 


167  J.  Oberg,  “NASA  Requires  Overhaul  at  Top.” 
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in  the  aftennath  of  Columbia,  felt  that  he  should  have  pushed  harder  for  the  imagery 
request  to  be  executed,  and  that  his  decision  to  not  push  would  “haunt  him  for  the  rest  of 
his  days.”172 

Janis  has  shown  that  another  Type  III  indicator  of  groupthink  is  the 
pressure  of  the  group  itself  on  any  dissenters  to  conform  to  the  collective.  Once  again,  as 
was  the  case  in  the  lead-up  to  the  Challenger  disaster,  this  groupthink  symptom  was 
present  within  NASA.  As  discussed  in  Section  III  of  this  paper,  the  CAIB  delved  into  the 
organizational  causes  and  the  impact  of  a  flawed  safety  culture  on  Columbia's  loss.  The 
CAIB  report  states,  “Program  managers  created  huge  barriers  against  dissenting 
opinions...”173  In  their  discussion  of  the  cultural  and  organization  dysfunctions  that 
contributed  to  the  Columbia  accident,  the  CAIB  provided  further  rationale  supporting 
pressure  on  dissent.  When  speaking  of  the  ad  hoc  chain  of  command  that  influenced  the 
end  result  of  STS- 107,  they  criticized  the  behavior  of  an  unnamed  NASA  expert 

...a  Thermal  Protection  System  tile  expert,  who  was  a  member  of  the 
Debris  Assessment  Team  but  had  an  office  in  the  more  prestigious  Shuttle 
Program,  used  his  personal  network  to  shape  the  Mission  Management 
Team  view  and  snuff  out  dissent  [emphasis  added].  174 

The  CAIB  believed  that  NASA  management  techniques  and  NASA’s  organizational 
structure  also  served  to  squelch  dissent.  NASA  management  is  directly  charged  by  the 
CAIB  with  not  seeking  out  dissenting  opinions  to  help  explore  all  options.175 

Thus,  pressure  on  dissenters  within  the  Mission  Management  Team  and 
others  support  it  is  shown  to  be  evident  within  NASA  during  the  time  of  the  Columbia 
mishap. 

The  groupthink  symptom  of  the  false  impression  of  group  unanimity  is 
closely  aligned  with  that  of  self-censorship.  The  lack  of  vocalization  of  concerns  about 
the  magnitude  of  the  foam  strike  on  Columbia's  left  wing,  as  well  as  the  lack  of  forceful 
dialog  about  the  need  for  outside  imaging  help,  as  described  above  only  served  to  support 

172  B.  Dickey,  NASA ’s  Next  Step,  p.  36,  Government  Executive,  Vol.  36,  No.  6,  April  2004,  p.  36. 
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the  notion  that  all  were  in  agreement  regarding  the  risks  to  reentry  as  well  as  the  lack  of 
real  need  for  further  imaging  support  for  the  Debris  Assessment  Team  analysis.  That  this 
perception  of  conformity  was  truly  illusory  is  shown  in  the  email  of  Robert  Daugherty,  a 
landing  gear  specialist  at  Langley  Research  Center.  In  his  email  of  28  January  2003, 
Daugherty  asks  his  counterpart  at  JSC,  “Any  more  activity  today  on  the  tile  damage,  or 
are  people  just  relegated  to  crossing  their  lingers  and  hoping  for  the  best?”176  These 
words  show  just  how  false  the  unanimity  was. 

The  final  groupthink  symptom  to  be  addressed  here  for  the  case  of 
Columbia  is  the  existence  of  self-appointed  mindguards  within  organization  who  strive  to 
insulate  the  group  from  anything  perceived  as  negative  or  detrimental  to  its  function.  The 
most  common  type  of  mindguard  behavior  is  tied  to  the  stereotyping  of  outsiders.  In 
negatively  stereotyping  outsiders  and  dissenters,  the  mindguards  involved  in  the 
Columbia  episode,  such  as  William  Readdy,  act  to  marginalize  and  trivialize  this  outside 
input  as  haymaking.  In  an  effort  to  act  as  one  of  NASA’s  chief  mindguards,  Mr.  Readdy 
quotes  Teddy  Roosevelt  in  his  message  to  his  team  and  indirectly  to  the  larger  audience 
he  knew  would  undoubtedly  read  his  letter.  Readdy’s  correspondence  is  full  of  the  sort 
of  language  that  reinforces  the  barrier  between  NASA  and  the  outside  world.  Roosevelt’s 
words  are  worth  repeating  here  to  substantiate  the  assertion  of  Readdy  acting  as  a 
mindguard. 

It  is  not  the  critic  who  counts;  not  the  man  who  points  out  how  the  strong 
man  stumbles,  or  where  the  doer  of  deeds  could  have  done  them  better. 

The  credit  belongs  to  the  man  who  is  actually  in  the  arena,  who  strives 
valiantly;  who  knows  the  great  enthusiasms,  the  great  devotions,  and 
spends  himself  in  a  worthy  cause;  who,  at  best,  knows  the  triumph  of  high 
achievement;  and  who,  at  worst,  if  he  fails,  at  least  fails  while  daring 
greatly,  so  that  his  place  shall  never  be  with  those  cold  and  timid  souls 
who  know  neither  victory  nor  defeat  [emphasis  added].177 

The  message  is  clear;  Mr.  Readdy  is  relating  the  struggle  of  those  who 
“strive  valiantly... who  spends  himself  in  a  worthy  cause,”  those  who  if  they  do  not 
succeed,  at  least  they  tried  something  “daring,”  to  NASA.  This  lionizing  of  his  own 

176  Columbia  Accident  Investigation  Board,  p.  165. 
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organization  is  contrasted  with  Roosevelt’s  “cold  and  timid  souls  who  know  neither 
victory  nor  defeat.”  These  people  are  unquestionably  those  same  people  Readdy 
previously  called  “instant  experts”  and  critics.  Here  he  is  zealously  guarding  his  people, 
and  one  could  argue  irrationally  so. 

When  investigating  the  existence  of  mindguards  within  NASA,  a  review 
of  NASA’s  actions  prior  to  the  reentry  attempt  of  Columbia  show  that  personnel  at  lower 
levels  associated  with  the  debris  assessment  were  convinced  the  foam  strike  was 
inconsequential  (a  “maintenance”  issue)  and  as  such  they  did  not  pass  anything  but  a 
unified,  “we’re  okay”  position  up  the  management  chain.  Thus,  they  served  as 
mindguards.  A  concrete  example  of  mindguard  behavior  is  that  exhibited  by  Leroy  Cain, 
the  STS-107  ascent  and  entry  Flight  Director.  Mr.  Cain,  in  rebuttal  to  Rodney  Rocha’s 
previously  quoted  statement  regarding  his  self-censorship,  declared,  “You  are  duty-bound 
as  a  member  of  this  team  to  voice  your  concerns,  in  particular  as  they  relate  to  safety  of 
flight.”178  Thus,  Cain  was  acting  as  a  mindguard  for  NASA,  protecting  itself  against 
negative  impressions  of  its  culture  and  organization. 

The  evidence  presented  above  unmistakably  shows  that  as  with  the 
Challenger  calamity,  groupthink  existed  within  NASA  at  the  time  of  the  Columbia 
accident.  As  with  Challenger,  flawed  decision-making  led  to  the  loss  of  seven  astronauts 
and  Columbia.  As  with  Challenger,  the  nation’s  faith  in  NASA  was  shaken  to  its  core 
and  still  has  not  recovered.  Lastly,  the  Diane  Vaughan’s  theory  of  risk  normalization  can 
be  seen  as  a  complementary  and  symbiotic  mechanism  to  Jams’ s  groupthink. 


178  J.  Schwartz,  “Unheeded  Concerns  and  the  Columbia  Disaster.” 
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V.  CONCLUSIONS  AND  RECOMMENDATIONS 


A.  OVERVIEW 

The  authors’  Command,  NUWC  Division  Newport,  and  Naval  Sea  Systems 
Command  in  general,  as  major  technical  entities  in  the  specification,  engineering,  and 
management  of  critical  U.S.  Navy  submarine  and  surface  ship  systems,  is  faced  with 
tasks,  challenges,  and  decision,  which  could  ultimately  have  life-or-death  consequences 
on  a  national  or  even  international  scale,  just  as  is  the  case  with  NASA.  The  conclusions 
and  recommendations  that  follow  will  reveal  a  variety  of  lessons-learned,  both  the 
glaringly  evident  and  the  subtle,  that  are  applicable  beyond  NASA  and  the  authors’ 
Command  to  other  Department  of  Defense  (DoD)  activities. 

Any  person  who  has  paid  attention  to  the  trials  and  travails  of  the  DoD  in  the  last 
decade  or  so  is  well  aware  that  one  of  the  mantras  of  this  world  is  to  incorporate  lessons- 
learned  wherever  and  whenever  possible,  as  an  input  towards  achieving  continuous 
improvement  downstream.  While  this  is  often  construed  as  a  vain  attempt  to  salvage 
some  good  from  a  DoD’s  project’s  poor  outcome,  there  is  truly  significant  value  in 
capturing  what  worked  and  what  did  in  order  to  feed  efforts  to  maintain  continuous 
improvement.  There  have  been  very  few  major  (Acquisition  Category  (AC AT)  I) 
programs  that  haven’t  been  held  up  as  examples  of  DoD  ineffectiveness,  at  some  time  or 
another,  either  in  the  press,  by  watchdogs  groups,  or  Congress  (especially  in  cases  of 
Nunn-McCurdy  breeches)  during  budget  hearings.  A  cross-service  subset  of  these 
programs  includes  the  F/A-22  Raptor,  the  OV-22  Osprey,  the  LPD-17,  the  Future 
Combat  System,  Advanced  Seal  Delivery  System,  and  a  variety  of  other  high  profile 
programs. 

Thus,  when  reviewing  NASA’s  experiences  and  activities  associated  with  the  two 
shuttle  losses,  beyond  the  discrete  conclusions  that  can  be  draw  regarding  NASA,  there 
are  generalized  observations  and  recommendations  can  be  made  that  would  serve  to  aid 
the  perfonnance  of  other  activities  that  pursue  similar  high-risk,  large-scale,  technically- 
complex  projects  within  the  confines  of  a  large,  dispersed,  public  bureaucracy. 
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B.  CONCLUSION  I 
1.  Conclusion 

Risk  acceptance  and  normalization  of  deviance  cannot  be  allowed  to  become  an 
embedded  organizational  behavior. 

The  research  of  Dr.  Diane  Vaughan,  and  the  further  investigation  undertaken  in 
this  paper,  clearly  shows  that  the  acceptance  of  risk  concurrent  with  the  normalization  of 
deviation  leads  organizations  to  lower  the  bar  for  risk  analysis  and  to  raise  it  when 
considering  what  deviations  from  the  previously  accepted  norm  require  a  pause  in 
operations  for  detailed  investigations.  In  the  case  of  NASA,  O-ring  erosion  and  foam 
shedding  were  originally  not  allowed,  but  continued  “success”  in  flight  operations  with 
these  anomalies  desensitized  NASA  management  to  the  mounting  risks  associated  with 
flying  the  shuttles  “as  is.”  As  this  paper  has  shown,  Dr.  Richard  Feynman,  arguably  one 
of  the  brightest  minds  of  the  twentieth  century,  provided  early  confirmation  of  risk 
acceptance  as  a  problem  within  NASA  in  his  personal  observations  which  formed  part  of 
the  Rogers  Commission  report.  Feynman  compared  NASA  risk  acceptance  to  playing 
Russian  roulette.  This  analogy  is  both  stark  and  fitting.  The  dilution  of  original 
performance  or  design  standards  without  comprehensive,  risk-based  analysis  to  back  it  up 
is  to  court  disaster,  as  did  NASA.  Redefining  acceptability  based  on  successful 
performance  with  unintended  abnormalities  is  not  prudent. 

The  CAIB  stated  that  in  the  cases  of  both  Challenger  and  Columbia, 

Anomalies  that  did  not  lead  to  catastrophic  failure  were  treated  as  a  source 
of  valid  engineering  data  that  justified  further  flights... In  both  cases 
[Challenger  and  Columbia ]  engineering  analysis  was  incomplete  and 
inadequate.  Engineers  understood  what  was  happening,  but  they  never 
understood  why.179 

Thus  the  CAIB,  the  Rogers  Commission,  and  independent  observers  like  Dr. 
Vaughan  all  have  reached  the  same  conclusion  regarding  risk  normalization  in  high-risk, 
complex,  technology-driven  pursuits. 


I79  Columbia  Accident  Investigation  Board,  p.  196. 
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2.  Recommendation 

Organizations  that  pursue  high-risk,  cutting-edge  technological  work  should  never 
redefine  acceptable  perfonnance  based  on  past  performance  with  inadvertent  deviations 
from  established  norms.  Any  risk  assumption  needs  to  be  based  upon  in-depth  analysis 
and  objective  assessment  of  risk  probability  and  consequence  of  occurrence. 

Normalization  of  risk  should  not  occur,  ever.  The  slippery-slope  of  the  gradual 
acceptance  of  the  abnormal  as  nonnal  results  in  a  false  sense  of  security  and  a  blindness 
to  the  underlying  problems  inherent  with  the  occurrence  of  a  repeatable,  yet  seemly 
innocuous  abnormality  that  varies  from  a  system’s  initial  operational  precepts  and 
requirements.  Diane  Vaughan,  in  her  presentation  before  the  CAIB,  provided  some  high- 
level  recommendations  on  how  to  help  prevent  this  sort  of  negative  behavior  within  an 
organization.  She  told  the  Board  that  organizational  leaders  need  to  stay  grounded,  and 
to  make  sure  they  remain  aware  of  the  hazards  of  their  own  organization’s  work180.  She 
also  stated  that  organizations  need  to  ensure  they  don’t  miss  “signals.”  That  is,  for 
example,  O-ring  erosion  is  a  signal  that  the  SRB  system  was  not  performing  as  designed, 
regardless  of  the  “successful”  outcome  and  should  be  analyzed  further.  All  levels  of  an 
organization  should  be  in  sync  with  regards  to  the  likelihood  and  consequences  of  risk. 
Dr.  Feynman  mentioned  this  explicitly  in  his  conclusions  to  his  appendix  to  the  Rogers 
Report.  All  elements  and  organizational  levels  must  be  allowed  to  voice  dissenting 
opinions  and  that  there  should  be  a  cultural  value  to  making  sure  no  one  is  intimidated 
into  silence.  Conversely  there  needs  to  be  respect  for  the  accountability  and 
responsibility  inherent  in  management  decisions,  when  based  upon  the  open  and  rational 
assessment  and  assumption  of  risk.  This  recommendation  is  further  reinforced  by  the 
follow-on  recommendation  regarding  groupthink,  below.  On  this  point  the  CAIB 
provided  guidance  to  NASA,  which  is  extremely  applicable  to  similar  organizations.  The 
CAIB  noted  that 

It  is  obvious  but  worth  acknowledging  that  people  who  are  marginal  and 
powerless  in  organizations  may  have  useful  information  or  opinions  that 
they  don’t  express.  Even  when  these  people  are  encouraged  to  speak,  they 


180  Testimony  of  Dr.  Diane  Vaughan,  Columbia  Accident  Investigation  Board  Public  Hearing 
Transcript,  23  April  2003. [  http://www.caib.us/events/public_hearings/20030423/transcript_pm.html],  Last 
accessed  June  2003. 
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find  it  intimidating  to  contradict  a  leader’s  strategy  or  a  group  consensus. 

Extra  effort  must  be  made  to  contribute  all  relevant  information  to 
discussions  of  risk.  These  strategies  are  important  for  all  safety  aspects, 
but  especially  necessary  for  ill-structured  problems  like  O-rings  and  foam 
debris.  Because  ill-structured  problems  are  less  visible  and  therefore  invite 
the  normalization  of  deviance,  they  may  be  the  most  risky  of  all.181 

A  key  organizational  element  that  is  required  to  counteract  normalization  of 
deviation  is  the  existence  of  a  robust  and  independent  safety  program  and  organization. 
This  organizational  construct  is  treated  in  more  detail  in  a  follow-on  conclusion,  below. 
But,  it  is  important  to  note  that  in  the  case  of  the  Columbia  accident  the  CAIB 
recommended  in  their  findings  on  the  topic  of  deviance  normalization  that  “A  safety  team 
must  have  equal  and  independent  representation  so  that  managers  are  not  again  lulled  into 
complacency  by  shifting  definitions  of  risk.”182 

Safety  programs  should  never  be  cut  simply  on  basis  of  the  project’s  bottom  line. 
Any  reduction  in  safety  should  be  taken  in  lock-step  with  a  re-evaluation  of  the  project’s 
overall  goals  and  requirements.  Reduction  simply  based  on  past  performance  on  other 
projects  is  not  sufficient  justification  for  taking  such  action. 


C.  CONCLUSION  II 

1.  Conclusion 

A  shift  in  an  organization’s  precepts  from  proving  a  positive  to  proving  a  negative 
results  in  erosion  of  safety  principals  and  supports  a  shift  to  unwarranted  nonnalization  of 
deviation. 

The  analysis  in  this  thesis  has  revealed  that  NASA’s  cultural  shift  to  proving  it 
unsafe  to  fly  the  shuttle  rather  than  confirming  it  was  safe  to  fly,  as  was  the  case  during 
the  Apollo  Program,  contributed  greatly  to  the  demise  of  Challenger  and  Columbia.  In 
the  case  of  Challenger,  Thiokol  representatives  felt  NASA  management’s  insistence  on 
proving  the  shuttle  unsafe  to  fly  in  cold  weather  with  O-ring  blow-by  was  an  impossible 
standard  to  meet.  Under  the  conventional  standard  of  proving  a  system  safe  before 
operation,  there  would  have  been  plenty  of  unknowns  stated  to  not  allow  Challenger  to 

181  Columbia  Accident  Investigation  Board,  p.  203. 

182  Columbia  Accident  Investigation  Board,  p.  203. 
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launch.  This  cultural  shift  and  the  inherent  risks  it  reintroduced  to  the  Space  Shuttle 
Program  were  noted  by  the  CAIB  with  respect  to  Columbia.  These  findings  apply  to  any 
similar  organization,  and  pushing  personnel  to  prove  a  negative  as  means  of  maintaining 
schedule  and  operations  is  a  cultural  rule  that  increases  the  risk  of  mission  failure.  The 
inability  to  disprove  a  system’s  safe  operation  inherently  leads  to  an  increase  in  risk 
assumption.  Furthermore,  the  normalization  of  deviation  can  lead  to  the  inability  to 
prove  an  unsafe  condition  and  thus,  a  system  is  perceived  as  safe  to  operate. 

2.  Recommendation 

System  operations  and  schedules  must  be  predicated  upon  proving  a  system  is 
safe  to  operate  and  is  effective,  rather  than  the  opposite. 

This  recommendation  is  succinct  and  self-evident.  Requiring  organizational 
components  to  prove  a  system  is  safe  to  function  instead  of  substantiating  it  is  unsafe  to 
operate  helps  to  ensure  all  risks  are  identified,  analyzed,  and  mitigated  properly 
beforehand.  Ensuring  all  levels  and  functions  of  an  organization  follow  this  dictum  will 
mean  that  any  unanswered  questions  or  ill-understood  risks  will  stop  the  march  towards 
an  event.  In  the  case  of  DoD  programs,  this  would  serve  to  prevent  Operational  Test 
(OT)  failures,  and  in  the  extreme  case,  loss  of  life  as  regrettably  occurred  in  the  V-22 
Osprey  Program.  It  follows  that  examining  all  risks  adequately  prior  to  concurrence  to 
move  forward  with  an  event  or  operation  implies  that  normalization  of  deviation  should 
not  occur. 

D.  CONCLUSION  III 

1.  Conclusion 

The  existence  of  groupthink  within  an  organization  leads  to  a  lower  probability  of 
mission  success  and  intrinsically  supports  the  undesired  normalization  of  deviation  and 
unjustified  risk  acceptance. 

This  paper’s  in-depth  examination  of  the  Challenger  and  Columbia  incidents  for 
evidence  of  groupthink  clearly  indicates  that  it  existed  within  the  NASA  hierarchy  at 
those  times  and  shows  the  destructive  consequences  of  not  recognizing  its  presence  and 
negating  it.  Without  calling  out  groupthink  by  its  name,  the  CAIB,  in  particular,  invoked 
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several  of  Janis’s  precepts  and  groupthink  remedies,  which  follow  below,  in  its 
recommendations.  One  prime  example  is  their  discussion  of  the  importance  of  airing 
minority  opinions  and  the  use  of  a  devil’s  advocate.  The  CAIB  stated  “Organizations 
with  strong  safety  cultures  generally  acknowledge  that  a  leader’s  best  response  to 
unanimous  consent  is  to  play  devil’s  advocate  and  encourage  exhaustive  debate... leaders 
failed  to  seek  out  such  minority  opinions.  Imagine  the  difference  if  any  Shuttle  manager 
had  simply  asked,  ‘Prove  to  me  that  Columbia  has  not  been  harmed.’”183 

The  examination  of  NASA’s  behavior  during  the  time  of  Challenger  and 
Columbia  clearly  shows  where  all  of  the  eight  symptoms  of  groupthink  existed  within 
NASA  and  at  times,  its  contractors.  These  symptoms  resulted  in  NASA  failing  to  plan 
for  contingencies,  neglecting  to  examine  the  risks  of  their  preferred  choices, 
demonstrating  a  clear  selective  information  bias,  and  finally,  failing  to  completely  review 
possible  alternatives  and  outcomes.  The  net  results  were  the  loss  of  two  space  shuttles 
and  fourteen  astronauts.  Furthermore,  some  of  these  symptoms  such  as  Excessive 
Rationalization  directly  support  Diane  Vaughan’s  concurrent  theories  of  risk  assumption 
and  normalization  of  deviance. 

2.  Recommendation 

High-perfonning  organizations  pursuing  technically-challenging  goals  with  high 
risk  and  visibility  should  ensure  that  cultural  norms  and  processes  are  established  and 
maintained  to  root  out  and  neutralize  groupthink. 

The  detailed  implementation  of  this  recommendation  can  best  be  summarized  by 
Janis’s  own  counsel  on  the  matter.  Janis  offers  nine  remedies  to  groupthink.184  A 
detailed  description  of  each  recommendation  can  be  found  in  Appendix  D. 

1 .  Encourage  critical  thinking 

2.  Leadership  should  attempt  to  remain  impartial  to  ideas  or  proposals 

3.  Use  multiple  subgroups  in  parallel  with  different  leaders  to  work  the  same 
problem 

4.  Reconvene  the  smaller  subgroups  to  reach  a  combined  decision 

183  Columbia  Accident  Investigation  Board,  p.  192. 

184  Janis,  Victims  of  Groupthink:  A  Psychology’  Study  of  Foreign  Policy,  p.  204,  Houghton  Mifflin, 
Boston,  1972. 
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5.  Each  member  of  the  group(s)  should  be  empowered  and  authorized  to 
discuss  the  group’s  progress  with  trusted  associates  outside  the  “in-group”, 
but  within  the  larger  organization 

6.  Outside  expert  opinion  should  be  allowed. 

7.  A  devil’s  advocate  should  be  assigned  within  the  group 

8.  Take  time  to  discuss  potential  opposing  views  and  responses 

9.  Have  a  “second  chance”  meeting  prior  to  a  final  decision 

Janis  noted  that  these  steps  do  not  guarantee  that  a  perfect  decision  is  made,  but 
significantly  increase  the  chances  of  reaching  good  one.  Also,  it  is  noted  that  these  steps, 
particularly  those  that  involve  the  voicing  of  concerns  and  the  review  by  outside  experts 
may  lead  to  a  prolonged  decision-making  process,  which  may  increase  time  pressures. 
However,  it  is  incumbent  upon  leadership  to  fully  understand  their  organization’s  culture 
and  to  work  to  incorporate  at  least  some  of  the  antidotes  for  groupthink  in  a  manner  that 
balances  all  mission  requirements. 


E.  CONCLUSION  IV 

1.  Conclusion 

A  lack  of  an  independent  and  sufficiently  resourced  safety  program  greatly 
increased  the  risk  of  catastrophic  mishaps  occurring. 

The  Rogers  Commission  and  the  CAIB  both  issued  firm  findings  and 
recommendations  on  the  insufficient  and  atrophied  safety  programs  in  place  during  the 
times  of  Challenger  and  Columbia.  The  Rogers  Commission  spoke  of  a  “silent”  safety 
program,  while  the  CAIB  stated  this  silence  had  returned  prior  to  the  Columbia's  loss. 
Both  investigative  bodies  strongly  recommended  the  establishment  of  truly  autonomous 
and  independently  funded  safety  and  reliability  organizations,  with  direct  reporting  to 
NASA  Headquarters.  NASA’s  safety  organization  and  their  culture  was  described  as 
complacent  and  filled  with  unjustified  optimism.185  Finally,  the  loss  of  in-house 


185  Columbia  Accident  Investigation  Board,  p.  180. 
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expertise  and  organizational  downsizing  due  to  budgetary  pressures,  combined  with  the 
outsourcing  of  key  safety-related  operations,  further  lessened  NASA’s  ability  to  conduct 
a  proper  safety  program. 

The  operations  and  fate  of  NASA’s  safety  program  is  echoed  with  occurrences  of 
the  same  sort  within  the  DoD  community.  Within  NAVSEA,  for  example,  safety 
programs  are  typically  funded  by  the  Program  Offices  which  is  acquiring  the  system  or 
systems  being  overseen  with  the  notable  exceptions  of  the  Submarine  Safety  (SUB  SAFE) 
and  reactor  safety  programs.  Other  than  these  high-performing  safety  functions,  with 
their  impeccable  track  records,  there  are  few  Program  Executive  Office  (PEO)  or  higher 
level  organizations  that  directly  fund  safety  programs  that  conduct  the  detailed  system  or 
subsystem  safety  analyzes  and  assessments.  Independent  safety  boards  do  exist,  such  as 
the  Weapon  System  Explosives  Safety  Review  Board  (WSESRB),  but  they  only  review 
the  safety  products  conducted  by  the  lower-level  organizations  with  the  Program  Office’s 
line  of  direction  and  funding.  One  of  the  authors  of  this  paper  has  had  the  unfortunate 
experience  of  not  one,  but  two  different  Program  Offices  stating  that  they  “had  paid 
enough  for  system  safety,”  and  would  not  fund  the  recommended  safety-related  tasking 
for  ordnance-related  submarine  systems.  This  sentiment  held  sway,  despite  the  fact  that 
there  was  a  clear,  objective  need  for  “more  safety.”  Ultimately  both  Program  Offices 
ended  up  expending  more  than  the  amount  of  resources  originally  requested  for  system 
safety,  correcting  deficiencies  in  products  that  a  more  robust  safety  program  would  have 
caught.  They  were  also  required  to  increase  the  amount  of  safety-related  tasking  in 
response  to  directives  and  recommendations  from  higher-level  safety  organizations.  This 
sort  of  attitude  reveals  a  certain  lack  of  understanding  of  the  need  for  and  value  of  an 
independent  safety  organization. 

2.  Recommendation 

Organizations  pursuing  high-risk,  life-risking,  technically-complex  endeavors 
need  to  ensure  that  their  safety  program  is  truly  independent  and  separately  sourced  from 
those  activities  it  critiques.  It  cannot  simply  be  a  paper  organizational  chart  which  is  not 
founded  on  reality.  The  safety  program,  like  any  overarching  management  or  integrated 
engineering  function,  should  be  empowered  to  act. 
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Truly  effective  safety  programs  like  the  SUBSAFE  program,  which  the  CAIB 
held  up  as  an  example  for  NASA  to  investigate,  more  than  pay  for  themselves  in 
accidents  avoided,  lives  not  lost,  programs  not  delayed,  reputations  untarnished,  missions 
completed,  and  national  admiration  maintained.  Empowerment  by  senior  leadership 
leaves  those  in  the  safety  community  with  a  mandate  to  act  autonomously  and  not 
consider  themselves  accountable  to  their  work  unit  or  center  management.  These 
functions,  and  the  personnel  perfonning  them,  must  be  distinct  and  inherently  objective, 
free  from  any  “product  line”  pressure  to  confonn  to  schedule,  budget,  etc.  In  effect,  they 
should  be  ombudsmen  for  the  end-user,  whether  that  is  a  sailor,  a  soldier,  or  an  astronaut. 
Furthermore,  management  should  not  have  more  than  one  role  or  responsibility  in  an 
organizational  structure.  This  is  particularly  true  for  safety  and  risk  management 
personnel.  While  multiple  roles  and  responsibility  are  often  advantageous  and 
economically-required  in  various  engineering  and  management  functions  associated  with 
large-scale  engineering  projects,  the  safety  management  activity  needs  to  be  shielded 
from  this  watering  down  of  their  focus,  responsibilities,  and  allegiances. 

Within  NAVSEA,  the  establishment  of  Technical  Warrant  Authority  (TWA)  has 
restored  some  of  the  autonomy  and  independent  oversight  of  NAVSEA  and  PEO 
products.  Warrant  Holders,  who  come  from  a  cross-section  of  NAVSEA  activities  and 
disciplines,  have  a  direct  covenant  with  the  Commanding  Officer  of  NAVSEA 
(COMNAVSEA).  Each  Warrant  Holder  has  the  ability  to  investigate  serious  technical, 
programmatic,  and  safety  matters  within  their  assigned  areas  of  responsibility.  They 
draw  on  the  cross-functional  expertise  of  lower-level  managers  and  engineering  staff. 
However,  a  majority  of  this  staff  is  funded  by  the  Program  Offices  for  which  the 
independent  TWA  has  been  assigned  oversight  of  their  products.  This  is  a  sub-optimal 
solution  and  seems  to  set  the  stage  for  competing  allegiances.  However,  to  date,  despite 
some  difficulties  in  implementation  with  the  Program  Offices,  Warrant  Holders  have 
been  able  to  effect  positive  and  much  needed  independent  assessments  of  various  matters, 
including  weapons  and  launcher  systems  safety.  The  size  of  the  TWAs’  budget  for 
executing  their  responsibilities  has  grown,  and  it  is  envisioned  that  further  growth  in 
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these  resources  will  reinforce  the  Warrant  Holders’  authority  and  independence. 
NAVSEA  and  PEO  organizations,  particularly  Ship  Construction  Managers,  are 
embracing  the  TWA  construct. 


F.  CONCLUSION  V 

1.  Conclusion 

Unrealistic  expectations  for  a  project’s  milestone  dates  and  unyielding  pressure  to 
meet  those  goals  can  combine  to  contribute  to  poor  outcomes  and  serious  mishaps. 

Both  the  Rogers  Commission  and  the  CAIB  found  that  the  Space  Shuttle 
Program’s  flight  rate  requirements  and  projections  did  not  match  a  realistic  assessment  of 
what  a  safely  obtainable  flight  rate  should  be.  The  CAIB  in  particular,  took  NASA  to 
task  for  not  setting  flight  rate  expectations  that  were  commensurate  with  available 
resources,  and  were  adequately  risk  balanced. 

This  sort  of  schedule  driven  pressure  is  rife  within  DoD,  as  projects  push  to  meet 
programmatic  schedule  milestones  in  an  effort  to  obtain  the  next  big  funding  increment 
such  as  that  when  a  program  reaches  Milestone  C  or  the  Full-Rate-Production  (FRP) 
milestone.  This  pressure  to  meet  a  calendar  date,  rather  than  a  level  of  system  maturity 
and  safety  is  also  due  to  the  need  to  synchronize  with  the  artificial  constraints  of  the 
Planning,  Programming,  Budgeting,  and  Execution  (PPB&E)  cycle.  The  equally  poor 
outcomes  can  be  seen  in  such  programs  as  the  V-22  Osprey,  where  nearly  two  dozen 
servicemen  died  in  test/training  accidents,  and  the  falsification  of  V-22  maintenance 
records  to  support  the  FRP  milestone  approval  was  executed  by  military  officials.  To  a 
lesser  extent,  DoD  projects  that  fail  miserably  during  testing  due  to  a  lack  of  design 
maturity  and  stability  at  the  time  of  the  “must  happen”  milestone  can  be  traced  to  this 
issue. 

2.  Recommendation 

Project  leaders  need  to  ensure  that  any  operational  tempo,  milestone  goals,  or 
schedule  drivers  are  balanced  with  the  amount  of  resources  available  and  the  risk 
assessment  of  this  balance  makes  certain  that  risks  assumed  are  recognized, 
comprehended,  and  acceptable. 
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After  reviewing  the  experiences  of  NASA  with  respect  to  this  recommendation, 
the  message  and  lesson-learned  is  clear  and  concise:  to  the  maximum  extent  possible,  a 
system  development  must  be  event-driven,  not  schedule-driven.  Obviously,  within  the 
DoD  arena,  any  organization  must  take  into  consideration  the  schedule  aspects  of  their 
work.  It  will  take  enlightened  leadership  from  all  stakeholders  to  balance  the  statutory 
schedule  requirements  with  a  schedule  that  derives  from  event  milestones  that  measure 
success,  not  simply  time  in  the  development  cycle. 


G.  CONCLUSION  VI 

1.  Conclusion 

Organizations  that  suffered  from  a  lack  of  a  consistent  systems  engineering 
approach  and  process  to  address  design  issues  increase  the  risk  of  failure  and  unintended 
consequences. 

Based  on  the  analysis  completed  to  answer  research  question  No.  2  of  this  thesis, 
it  is  clear  that  NASA,  though  one  of  the  world’s  preeminent  science  and  engineering 
organization,  had  a  lapse  in  the  consistent  application  of  a  rigorous  systems  engineering 
process,  where  design  changes  as  well  as  uncovered  flaws,  were  not  systematically 
investigated  for  “cascade  effect”  impacts  and  risks  to  other  design  features.  Combine 
these  inconsistent  systems  engineering  approach  with  the  nonnalization  of  deviance  and 
risk  assumption  described  by  Vaughan,  and  the  danger  of  faulty  reasoning  and  design 
implementation  goes  up  significantly. 

The  Defensive  Acquisition  University  (DAU)  defines  the  systems  engineering 
process  as  “a  top-down  comprehensive,  iterative,  and  recursive  problem  solving  process 
applied  sequentially  throughout  all  stages  of  development...”186  Figure  3,  below  provide 
a  flow  chart  of  the  fundamental  process.  As  this  paper  has  described,  the  ultimate  design 
of  the  Space  Shuttle  was  not  that  which  was  originally  conceived.  In  order  for  the  Space 
Shuttle  Program  to  remain  politically  viable  and  palatable,  design  compromises  were 
made  without  the  proper  realistic,  recursive  engineering  and  risk  analyses  being 


186  Systems  Engineering  Fundamentals,  Defense  Acquisition  University  Press,  Fort  Belvoir,  VA. 
January  2001.  p.  5. 
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conducted  to  assess  the  impact  of  these  concessions.  The  end  result  was  a  sub-optimal 
design  that  in  hindsight  had  clearly  fatal  flaws  that  were  poorly  understood. 


The  change  from  a  two-stage,  piloted  booster-orbiter  design  to  the  ultimate  design 
of  orbiter,  external  fuel  tank,  and  solid-propellant  boosters  set  in  motion  a  cascade  of 
design  risks.  First,  there  was  the  shift  from  the  cryogenic-liquid  propulsion  systems  so 
successfully  used  by  NASA  to  the  SRB  implementation  from  a  land-locked  vendor  who 
had  no  choice  but  to  ship  the  SRBs  in  sections.  This  introduced  the  infamous  O-ring 
design  that  doomed  Challenger.  Then,  as  a  result  of  the  step  away  from  the  two-stage, 
individually-piloted  shuttle  system,  the  size  of  the  orbiter  increased  and  its  former 
straight-winged  design  became  the  delta-wing  implementation  of  record.  Unfortunately 
the  shuttle’s  Thermal  Protection  System  (i.e.,  the  tiles)  design  was  well-suited  for  the 
straight-wing  version  of  the  orbiter,  not  the  complex-angle,  delta-wing  concept  ultimately 
flown.  Finally,  the  shift  to  the  external  fuel  tank  and  SRBs  introduced  the  foam-shedding 
phenomenon  with  the  initial  requirement  that  no  foam  be  shed,  thus  allowing  the  use  of 

Systems  Engineering  Fundamentals,  p.  6. 
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the  rather  fragile  thermal  tiles  that  were  the  optimal  TPS  solution  for  an  orbiter  design 
that  no  longer  existed.  The  very  first  shuttle  flight  initially  raised  the  alann,  when  a  large 
number  of  thermal  tiles  required  replacement.  However,  as  history  as  shown,  the 
continued  success  of  shuttle  missions  with  tile  loss  and  failure,  led  NASA  toward  the 
nonnalization  of  deviance  so  well-defined  above.  None  of  these  design  changes  were 
subjected  to  the  sort  of  rigorous  analysis  required  for  mission-critical  systems  with  lives 
at  risk.  Combine  this  shortcoming  with  risk  normalization,  and  it  was  only  a  matter  of 
time  before  a  serious  engineering  failure  occurred. 

In  the  case  of  DoD  programs,  the  experience  of  one  of  the  authors  of  this  work 
will  suffice  to  show  a  phenomenon  similar  to  that  found  in  NASA  with  respect  to  the 
systems  engineering  process.  During  the  development  of  a  new  family  of  submarine 
acoustic  countermeasures,  used  for  torpedo  evasion  and  threat  sonar  system  avoidance, 
multiple  unanticipated  hardware  failures  occurred  during  developmental  and  operational 
testing.  The  failures  all  dealt  with  the  effects  of  water  in-rush  into  the  countermeasure’s 
launch  tube  during  the  launch  process.  The  initial  failure  was  the  shearing  of  the  small 
plastic  propeller  used  to  provide  the  minimal  lift  required  for  the  countermeasures  to 
hover  after  launch.  Since  a  version  of  this  prop-driven  hover  system  with  a  metal 
propeller  had  been  used  successfully  in  previous  countenneasures,  the  metallic  version 
was  implemented  by  the  contractor  without  completely  reassessing  the  effect  this  change 
may  have  on  other  design  components  with  the  countermeasure.  That  is,  they  did  not 
properly  employ  the  systems  engineering  process  to  re-evaluate  the  consequences  and 
risks  of  their  design  modification. 

The  next  round  of  testing,  where  the  contractor  expected  everything  to  go  well, 
yielded  failures  of  the  gear  train  in  the  hover  motor.  Now  that  the  propeller  was  not 
breaking,  the  higher  loads  on  it  were  transmitted  to  its  shaft,  and  the  shaft  plastically 
deformed,  binding  the  hover  system.  The  shaft  design  was  modified  and  during  the  next 
series  of  tests  the  hardened  shaft  transmitted  high  loads  to  the  hover  motor’s  gear  train, 
which  failed.  Thus,  the  seemingly  sound  and  innocuous  change  of  materials,  based  on 
previous  success  and  on  what  in  effect  is  a  small,  model  airplane  propeller  and  hover 
motor,  yielded  a  series  of  costly  test  failures  and  schedule  delays  and  threatened  the 

delivery  of  critical  submarine  self-defense  capability  upgrades. 
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2.  Recommendation 

Organizations  pursuing  highly  complex  system  or  system-of-systems  designs 
should  employed  a  documented,  consistent  systems  engineering  process. 

The  implementation  of  this  recommendation  is  straightforward.  Most,  if  not  all 
activities,  have  systems  engineering  expertise  within  their  organization.  This  expertise 
should  be  identified,  and  utilized  within  the  constructs  of  a  defined,  documented  systems 
engineering  process.  A  systems  engineering  management  plan  should  be  developed,  or 
updated  if  one  already  exists.  This  document  needs  to  be  a  living  document  that  is 
tailored  to  meet  the  evolutionary  requirements  of  the  organization’s  mission  and  goals. 
Proper  training  and  professional  development  of  systems  engineers  is  of  the  utmost 
importance.  With  the  increasing  complexity  of  DoD  projects  and  the  concurrent 
implementation  of  system-of-systems,  capability-based  solution  requirements,  the  need  to 
ensure  that  system  design  changes  are  evaluated  in  a  comprehensive,  iterative  process,  to 
ensure  the  law  of  unintended  consequences  does  not  take  hold,  nor  the  risk  to  personnel 
or  mission  success  increased  without  identification  and  assessment  of  this  risk. 

H.  CONCLUSION  VII 

1.  Conclusion 

An  organization’s  structure  must  be  compatible  with  mission  requirements. 

The  major  problem  with  NASA  Space  Shuttle  Program’s  organizational  structure 
was  a  lack  of  overarching  programmatic  and  technical  authority  resident  in  a  top-level, 
cross-location,  cross-functional  position  and  staff.  Both  the  Rogers  Commission  and  the 
CAIB  identified  organizational  structure  flaws  and  responsibility  mismatches  as 
contributors  to  their  respective  accidents.  Because  of  the  lack  of  a  central  programmatic 
and  technical  organization,  not  aligned  with  any  one  NASA  center,  there  was  no  one 
seeing  the  “big  picture”  and  assessing  the  implications  of  the  integration  of  the  various 
subsystems  within  the  STS  -  fuel  tank,  orbiter,  and  boosters.  Furthermore,  when 
specialized  splinter  teams  were  formed  to  assess  problems  and  risks,  they  were  not 
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properly  empowered  nor  chartered  to  successfully  complete  their  tasks.  A  prime  example 
of  this  was  the  Debris  Assessment  Team,  formed  to  investigate  and  report  out  on  the 
implications  of  the  foam  strike  on  Columbia. 

For  organizations  like  NASA  the  message  is  equally  clear.  The  DoD  wrestled 
with  the  problem  of  establishing  the  sort  of  top-level  organizational  structure  that  could 
align  programmatic  and  technical  issues,  and  do  so  at  a  high  enough  level  to  manage  all 
facets  of  the  integration  of  complex  systems  of  systems.  The  restructuring  of  the  DoD 
that  resulted  from  the  work  of  Packard  Commission,  the  passage  of  the  Goldwater- 
Nichols  act,  and  other  more  recent  efforts  (DoD  5000  series  restructuring)  has  attempted 
to  solve  this  problem  with  mixed  success.  One  only  needs  to  examine  the  amount  of 
problems  and  delays  that  result  in  the  integration  of  such  complex  systems,  like  the  U.S. 
Navy’s  Seawolf  Class  submarine,  where  one  Program  Office  was  responsible  for  the 
ship’s  acquisition,  but  several  others  are  responsible  for  the  multitude  of  Government 
Furnished  Equipment  (GFE)  subsystems  integrated  into  the  ship’s  design. 

2.  Recommendation 

Organizations  need  to  ensure  that  there  is  an  overarching  integration  activity  or 
function  for  operations  and  that  this  group  has  the  authority  and  responsibility  for  the  top- 
level  integration  of  all  elements  within  a  project. 

This  organization  needs  to  have  the  autonomy,  resources,  and  mandate  to  direct 
high-level,  interdisciplinary  teams  in  pursuit  of  safe  and  successful  operations.  As  a 
corollary  to  this  dictum,  any  specialized  “Tiger  Teams”  need  to  have  the  appropriate 
charter  with  clear  roles,  responsibilities,  and  authority  as  required  to  complete  their  task. 
As  these  sorts  of  teams  are  typically  established  when  there  is  a  major  concern  or 
problem  within  an  organization,  it  is  crucial  that  the  aforementioned  framework  for  the 
team’s  success  is  in  place. 

With  respect  to  DoD-type  of  large-scale  programs,  the  continued  maturation  and 
implementation  of  the  Integrated  Product  and  Process  Development  (IPPD)  teams  for 
cross-functional,  concurrent  design,  utilizing  fundamental  systems  engineering  principals, 
will  help  alleviate  the  problem  of  organizational  structure  mismatch  with  mission 
function  and  performance  requirements.  For  example,  the  Virginia  Class  submarine 
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program  greatly  increased  the  use  of  the  IPPD  process  compared  to  preceding  submarine 
acquisition  programs.  While  far  from  perfect,  the  widespread  use  of  System  Integration 
Teams  and  Process  Integration  Teams  through  all  aspects  of  the  Virginia  Class  design, 
construction,  test,  and  lifecycle  support  aspects  resulted  in  a  much  shorter  lead-ship 
construction  delivery  timeline  than  previous  submarine  classes.  An  example  at  the  detail 
level  is  various  logistics  products  such  as  ordnance  handling  manuals,  Maintenance 
Requirement  Cards  (MRCs),  and  Allowance  Parts  Lists  (APLs)  were  delivered  with 
greater  fidelity  prior  to  the  lead  ship’s  delivery,  rather  than  after  it,  as  was  the  case  of  the 
Seawolf  Class.  Also,  in  the  instance  of  shock  qualification  of  the  External 
Countermeasure  Launcher  (ECL),  the  Virginia  Class  system  was  shock  test  and  qualified 
prior  to  lead  ship  delivery,  rather  than  after  it  like  the  Seawolf  Class.  Most  telling  is  that 
USS  Virginia  (SSN  774)  was  delivered  six  years  after  ordering,  while  USS  Seawolf  (SSN 
21)  was  delivered  8.5  years  after  ordering,  and  was  subject  to  an  extensive  construction 
and  test  period  due  to  multiple  series  design  and  workmanship  issues.  The  most  costly 
and  schedule-consuming  ones  included  weld  cracks  in  pressure  hull  sections  and  the  loss 
of  Wide  Aperture  Array  panels  during  at-sea  testing. 


I.  CONCLUSION  SUMMARY 

The  authors  of  this  work  found  evidence  of 

1)  Risk  acceptance  and  nonnalization  of  deviance. 

2)  A  shift  from  proving  a  positive  to  proving  a  negative  (safe  versus  not 
safe  to  fly). 

3)  Groupthink. 

4)  Lack  of  an  independent  and  adequately  resourced  safety  program. 

5)  Unrealistic  project  schedule  and  milestone  dates. 

6)  Lack  of  a  consistent  system  engineering  process. 

in  the  behavior  of  NASA  during  the  period  spanning  the  Challenger  and  Columbia 
accidents.  All  six  of  these  phenomena  were  present  thought  out  and  are  indicative  of 
cultural  defects  with  NASA. 
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In  order  to  address  these  cultural  deficiencies,  the  authors  provide  recommendations  to 


1)  Never  redefine  acceptable  performance  based  on  past  performance  and 
to  ensure  risk  assumption  is  based  upon  in-depth  analysis  and 
objective  assessment  of  risk  probability  and  consequences  of 
occurrence. 

2)  Consistently  maintain  the  requirement  to  prove  a  system  is  a  safe  and 
effective  to  operative,  rather  than  the  opposite. 

3)  Reveal  and  neutralize  groupthink. 

4)  Ensure  safety  programs  are  independent  and  separately  resourced  from 
those  activities  they  evaluate 

5)  Project  schedule,  milestones  and  operational  tempo  should  be  balanced 
with  the  amount  of  available  resources  and  be  based  upon  an  impartial, 
comprehensive  risk  assessment. 

6)  Utilize  a  documented,  consistent  systems  engineering  process. 


101 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


102 


APPENDIX  A.  PRESIDENTIAL  COMMISSION  ON  THE  SPACE 
SHUTTLE  CHALLENGER  ACCIDENT  RECOMMENDATIONS 


The  Commission  has  conducted  an  extensive  investigation  of  the  Challenger 
accident  to  detennine  the  probable  cause  and  necessary  corrective  actions.  Based  on  the 
findings  and  detenninations  of  its  investigation,  the  Commission  has  unanimously 
adopted  recommendations  to  help  assure  the  return  to  safe  flight. 

The  Commission  urges  that  the  Administrator  of  NASA  submit,  one  year  from 
now,  a  report  to  the  President  on  the  progress  that  NASA  has  made  in  effecting  the 
Commission's  recommendations  set  forth  below: 

-I- 

Design.  The  faulty  Solid  Rocket  Motor  joint  and  seal  must  be  changed.  This 
could  be  a  new  design  eliminating  the  joint  or  a  redesign  of  the  current  joint  and  seal.  No 
design  options  should  be  prematurely  precluded  because  of  schedule,  cost,  or  reliance  on 
existing  hardware.  All  Solid  Rocket  Motor  joints  should  satisfy  the  following 
requirements: 

•  The  joints  should  be  fully  understood,  tested,  and  verified. 

•  The  integrity  of  the  structure  and  of  the  seals  of  all  joints  should  be  not  less 
than  that  of  the  case  walls  throughout  the  design  envelope. 

•  The  integrity  of  the  joints  should  be  insensitive  to: 

o  Dimensional  tolerances, 
o  Transportation  and  handling, 
o  Assembly  procedures, 
o  Inspection  and  test  procedures, 
o  Environmental  effects, 
o  Internal  case  operating  pressure, 
o  Recovery  and  reuse  effects, 
o  Flight  and  water  impact  loads. 

•  The  certification  of  the  new  design  should  include: 
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o  Tests  which  duplicate  the  actual  launch  configuration  as  closely  as 
possible. 

o  Tests  over  the  full  range  of  operating  conditions,  including  temperature. 

•  Full  consideration  should  be  given  to  conducting  static  firings  of  the  exact 
flight  configuration  in  a  vertical  attitude. 

Independent  Oversight.  The  Administrator  of  NASA  should  request  the 
National  Research  Council  to  form  an  independent  Solid  Rocket  Motor  design  oversight 
committee  to  implement  the  Commission's  design  recommendations  and  oversee  the 
design  effort.  This  committee  should: 

•  Review  and  evaluate  certification  requirements. 

•  Provide  technical  oversight  of  the  design,  test  program,  and  certification. 

•  Report  to  the  Administrator  of  NASA  on  the  adequacy  of  the  design  and  make 
appropriate  recommendations. 

-II- 

Shuttle  Management  Structure.  The  Shuttle  Program  Structure  should  be 
reviewed.  The  project  managers  for  the  various  elements  of  the  Shuttle  program  felt 
more  accountable  to  their  center  management  than  to  the  Shuttle  program  organization. 
Shuttle  element  funding,  work  package  definition  and  vital  program  information 
frequently  bypass  the  National  STS  (Shuttle)  Program  Manager. 

A  redefinition  of  the  Program  Manager's  responsibility  is  essential.  This 
redefinition  should  give  the  Program  Manager  the  requisite  authority  for  all  ongoing  STS 
operations.  Program  funding  and  all  Shuttle  Program  work  at  the  centers  should  be 
placed  clearly  under  the  Program  Manager's  authority. 

Astronauts  in  Management.  The  Commission  observes  that  there  appears  to  be 
a  departure  from  the  philosophy  of  the  1960s  and  1970s  relating  to  the  use  of  astronauts 
in  management  positions.  These  individuals  brought  to  their  positions  flight  experience 
and  a  keen  appreciation  of  operations  and  flight  safety. 
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•  NASA  should  encourage  the  transition  of  qualified  astronauts  into  agency 
management  positions. 

•  The  function  of  the  Flight  Crew  Operations  director  should  be  elevated  in  the 
NASA  organization  structure. 

Shuttle  Safety  Panel.  NASA  should  establish  an  STS  Safety  Advisory  Panel 
reporting  to  the  STS  Program  Manager.  The  Charter  of  this  panel  should  include  Shuttle 
operational  issues,  launch  commit  criteria,  flight  rules,  flight  readiness  and  risk 
management.  The  panel  should  include  representation  from  the  safety  organization, 
mission  operations,  and  the  astronaut  office. 

-  Ill  - 

Criticality  Review  and  Hazard  Analysis.  NASA  and  the  primary  Shuttle 
contractors  should  review  all  Criticality  1,  1R,  2,  and  2R  items  and  hazard  analyses.  This 
review  should  identity  those  items  that  must  be  improved  prior  to  flight  to  ensure  mission 
safety.  An  Audit  Panel,  appointed  by  the  National  Research  Council,  should  verify  the 
adequacy  of  the  effort  and  report  directly  to  the  Administrator  of  NASA. 

-IV- 

Safety  Organization.  NASA  should  establish  an  Office  of  Safety,  Reliability  and 
Quality  Assurance  to  be  headed  by  an  Associate  administrator,  reporting  directly  to  the 
NASA  Administrator.  It  would  have  direct  authority  for  safety,  reliability,  and  quality 
assurance  throughout  the  agency.  The  office  should  be  assigned  the  work  force  to  ensure 
adequate  oversight  of  its  functions  and  should  be  independent  of  other  NASA  functional 
and  program  responsibilities. 

The  responsibilities  of  this  office  should  include: 

•  The  safety,  reliability  and  quality  assurance  functions  as  they  relate  to  all 
NASA  activities  and  programs. 

•  Direction  of  reporting  and  documentation  of  problems,  problem  resolution 
and  trends  associated  with  flight  safety. 
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-  V- 


Improved  Communications.  The  Commission  found  that  Marshall  Space  Flight 
Center  project  managers,  because  of  a  tendency  at  Marshall  to  management  isolation, 
failed  to  provide  full  and  timely  information  bearing  on  the  safety  of  flight  51-L  to  other 
vital  elements  of  Shuttle  program  management. 

•  NASA  should  take  energetic  steps  to  eliminate  this  tendency  at  Marshall 
Space  Flight  Center,  whether  by  changes  of  personnel,  organization, 
indoctrination  or  all  three. 

•  A  policy  should  be  developed  which  governs  the  imposition  and  removal 
of  Shuttle  launch  constraints. 

•  Flight  Readiness  Reviews  and  Mission  Management  Team  meetings 
should  be  recorded. 

•  The  flight  crew  commander,  or  a  designated  representative,  should  attend 
the  Flight  Readiness  Review,  participate  in  acceptance  of  the  vehicle  for 
flight,  and  certify  that  the  crew  is  properly  prepared  for  flight. 

-VI- 

Landing  Safety.  NASA  must  take  actions  to  improve  landing  safety. 

•  The  tire,  brake  and  nosewheel  steering  systems  must  be  improved.  These 
systems  do  not  have  sufficient  safety  margin,  particularly  at  abort  landing 
sites. 

•  The  specific  conditions  under  which  planned  landings  at  Kennedy  would 
be  acceptable  should  be  determined.  Criteria  must  be  established  for  tires, 
brakes  and  nosewheel  steering.  Until  the  systems  meet  those  criteria  in 
high  fidelity  testing  that  is  verified  at  Edwards,  landing  at  Kennedy  should 
not  be  planned. 

•  Committing  to  a  specific  landing  site  requires  that  landing  area  weather  be 
forecast  more  than  an  hour  in  advance.  During  unpredictable  weather 
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periods  at  Kennedy,  program  officials  should  plan  on  Edwards  landings. 
Increased  landings  at  Edwards  may  necessitate  a  dual  ferry  capability. 

-VII- 

Launch  Abort  and  Crew  Escape.  The  Shuttle  program  management  considered 
first-stage  abort  options  and  crew  escape  options  several  times  during  the  history  of  the 
program,  but  because  of  limited  utility,  technical  infeasibility,  or  program  cost  and 
schedule,  no  systems  were  implemented.  The  Commission  recommends  that  NASA: 

•  Make  all  efforts  to  provide  a  crew  escape  system  for  use  during  controlled 
gliding  flight. 

•  Make  every  effort  to  increase  the  range  of  flight  conditions  under  which 
an  emergency  runway  landing  can  be  successfully  conducted  in  the  event 
that  two  or  three  main  engines  fail  early  in  ascent. 

-  VIII  - 

Flight  Rate.  The  nation's  reliance  on  the  Shuttle  as  its  principal  space  launch 
capability  created  a  relentless  pressure  on  NASA  to  increase  the  flight  rate.  Such  reliance 
on  a  single  launch  capability  should  be  avoided  in  the  future. 

NASA  must  establish  a  flight  rate  that  is  consistent  with  its  resources.  A  firm 
payload  assignment  policy  should  be  established.  The  policy  should  include  rigorous 
controls  on  cargo  manifest  changes  to  limit  the  pressures  such  changes  exert  on  schedules 
and  crew  training. 

-IX- 

Maintenance  Safeguards.  Installation,  test,  and  maintenance  procedures  must  be 
especially  rigorous  for  Space  Shuttle  items  designated  Criticality  1.  NASA  should 
establish  a  system  of  analyzing  and  reporting  performance  trends  of  such  items. 

Maintenance  procedures  for  such  items  should  be  specified  in  the  Critical  Items 
List,  especially  for  those  such  as  the  liquid-fueled  main  engines,  which  require  unstinting 
maintenance  and  overhaul. 
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With  regard  to  the  Orb  iters,  NASA  should: 


•  Develop  and  execute  a  comprehensive  maintenance  inspection  plan. 

•  Perfonn  periodic  structural  inspections  when  scheduled  and  not  permit 
them  to  be  waived. 

•  Restore  and  support  the  maintenance  and  spare  parts  programs,  and  stop 
the  practice  of  removing  parts  from  one  Orbiter  to  supply  another. 

Concluding  Thought 

The  Commission  urges  that  NASA  continue  to  receive  the  support  of  the 
Administration  and  the  nation.  The  agency  constitutes  a  national  resource  that  plays  a 
critical  role  in  space  exploration  and  development.  It  also  provides  a  symbol  of  national 
pride  and  technological  leadership. 

The  Commission  applauds  NASA's  spectacular  achievements  of  the  past  and 
anticipates  impressive  achievements  to  come.  The  findings  and  recommendations 
presented  in  this  report  are  intended  to  contribute  to  the  future  NASA  successes  that  the 
nation  both  expects  and  requires  as  the  21st  century  approaches. 
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APPENDIX  B.  COLUMBIA  ACCIDENT  INVESTIGATION 
BOARD  RECOMMENDATIONS 

PART  ONE  -  THE  ACCIDENT 

Thermal  Protection  System 

R3.2-1  Initiate  an  aggressive  program  to  eliminate  all  External  Tank  Thermal 
Protection  System  debris-shedding  at  the  source  with  particular  emphasis  on  the  region 
where  the  bipod  struts  attach  to  the  External  Tank. 

R3.3-2  Initiate  a  program  designed  to  increase  the  Orbiter’s  ability  to  sustain 
minor  debris  damage  by  measures  such  as  improved  impact-resistant  Reinforced  Carbon- 
Carbon  and  acreage  tiles.  This  program  should  determine  the  actual  impact  resistance  of 
current  materials  and  the  effect  of  likely  debris  strikes. 

R3.3-1  Develop  and  implement  a  comprehensive  inspection  plan  to  determine  the 
structural  integrity  of  all  Reinforced  Carbon-Carbon  system  components.  This  inspection 
plan  should  take  advantage  of  advanced  non-destructive  inspection  technology. 

R6.4-1  For  missions  to  the  International  Space  Station,  develop  a  practicable 
capability  to  inspect  and  effect  emergency  repairs  to  the  widest  possible  range  of  damage 
to  the  Thermal  Protection  Sys-tem,  including  both  tile  and  Reinforced  Carbon-Carbon, 
taking  advantage  of  the  additional  capabilities  available  when  near  to  or  docked  at  the 
International  Space  Station. 

For  non-Station  missions,  develop  a  comprehensive  autonomous  (independent  of 
Station)  inspection  and  repair  capability  to  cover  the  widest  possible  range  of  damage 
scenarios. 

Accomplish  an  in-orbit  Thermal  Protection  System  inspection,  using  appropriate 
assets  and  capabilities,  early  in  all  missions. 

The  ultimate  objective  should  be  a  fully  autonomous  capability  for  all  missions  to 
address  the  possibility  that  an  International  Space  Station  mission  fails  to  achieve  the 
correct  orbit,  fails  to  dock  successfully,  or  is  damaged  during  or  after  undocking. 
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R3.3-3  To  the  extent  possible,  increase  the  Orbiter’s  ability  to  successfully  re¬ 
enter  Earth’s  atmosphere  with  minor  leading  edge  structural  sub-system  damage. 

In  order  to  understand  the  true  material  characteristics  of  Reinforced  Carbon- 
Carbon  components,  develop  a  comprehensive  database  of  flown  Reinforced  Carbon- 
Carbon  material  characteristics  by  destructive  testing  and  evaluation. 

R3.3-5  Improve  the  maintenance  of  launch  pad  structures  to  minimize  the 
leaching  of  zinc  primer  onto  Reinforced  Carbon-Carbon  components. 

R3.8-1  Obtain  sufficient  spare  Reinforced  Carbon-Carbon  panel  assemblies  and 
associated  support  components  to  ensure  that  decisions  on  Reinforced  Carbon-Carbon 
maintenance  are  made  on  the  basis  of  component  specifications,  free  of  external 
pressures  relating  to  schedules,  costs,  or  other  considerations. 

R3.8-2  Develop,  validate,  and  maintain  physics-based  computer  models  to 
evaluate  Thermal  Protection  System  damage  from  debris  impacts.  These  tools  should 
provide  realistic  and  timely  estimates  of  any  impact  damage  from  possible  debris  from 
any  source  that  may  ultimately  impact  the  Orbiter.  Establish  impact  damage  thresholds 
that  trigger  responsive  corrective  action,  such  as  in-orbit  inspection  and  repair,  when 
indicated. 

Imaging 

R3.4-1  Upgrade  the  imaging  system  to  be  capable  of  providing  a  minimum  of 
three  useful  views  of  the  Space  Shuttle  from  liftoff  to  at  least  Solid  Rocket  Booster 
separation,  along  any  expected  ascent  azimuth.  The  operational  status  of  these  assets 
should  be  included  in  the  Launch  Commit  Criteria  for  future  launches.  Consider  using 
ships  or  aircraft  to  provide  additional  views  of  the  Shuttle  during  ascent. 

R3.4-2  Provide  a  capability  to  obtain  and  downlink  high-resolution  images  of  the 
External  Tank  after  it  separates. 

R3.4-3  Provide  a  capability  to  obtain  and  downlink  high-resolution  images  of  the 
underside  of  the  Orbiter  wing  leading  edge  and  forward  section  of  both  wings. 
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R6.3-2  Modify  the  Memorandum  of  Agreement  with  the  National  Imagery  and 
Mapping  Agency  to  make  the  imaging  of  each  Shuttle  flight  while  on  orbit  a  standard 
requirement. 

Orbiter  Sensor  Data 

R3.6-1  The  Modular  Auxiliary  Data  System  instrumentation  and  sensor  suite  on 
each  Orbiter  should  be  maintained  and  updated  to  include  current  sensor  and  data 
acquisition  technologies. 

R3.6-2  The  Modular  Auxiliary  Data  System  should  be  redesigned  to  include 
engineering  performance  and  vehicle  health  information,  and  have  the  ability  to  be 
reconfigured  during  flight  in  order  to  allow  certain  data  to  be  recorded,  telemetered,  or 
both  as  needs  change. 

Wiring 

R4.2-2  As  part  of  the  Shuttle  Service  Life  Extension  Program  and  potential  40- 
year  service  life,  develop  a  state-of-the-art  means  to  inspect  all  Orbiter  wiring,  including 
that  which  is  inaccessible. 

Bolt  Catchers 

R4.2-1  Test  and  qualify  the  flight  hardware  bolt  catchers. 

Closeouts 

R4.2-3  Require  that  at  least  two  employees  attend  all  final  closeouts  and  intertank 
area  hand-spraying  procedures. 

Micrometeoroid  and  Orbital  Debris 

R4.2-4  Require  the  Space  Shuttle  to  be  operated  with  the  same  degree  of  safety 
for  micrometeoroid  and  orbital  debris  as  the  degree  of  safety  calculated  for  the 
International  Space  Station.  Change  the  micrometeoroid  and  orbital  debris  safety  criteria 
from  guidelines  to  requirements. 
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Foreign  Object  Debris 

R4.2-5  Kennedy  Space  Center  Quality  Assurance  and  United  Space  Alliance  must 
return  to  the  straightforward,  industry-standard  definition  of  “Foreign  Object  Debris”  and 
eliminate  any  alternate  or  statistically  deceptive  definitions  like  “processing  debris.” 


PART  TWO  -  WHY  THE  ACCIDENT  OCCURRED 

Scheduling 

R6.2-1  Adopt  and  maintain  a  Shuttle  flight  schedule  that  is  consistent  with 
available  resources.  Although  schedule  deadlines  are  an  important  management  tool, 
those  deadlines  must  be  regularly  evaluated  to  ensure  that  any  additional  risk  incurred  to 
meet  the  schedule  is  recognized,  understood,  and  acceptable. 

Training 

R6.3-1  Implement  an  expanded  training  program  in  which  the  Mission 
Management  Team  faces  potential  crew  and  vehicle  safety  contingencies  beyond  launch 
and  ascent.  These  contingencies  should  involve  potential  loss  of  Shuttle  or  crew,  contain 
numerous  uncertainties  and  unknowns,  and  require  the  Mission  Management  Team  to 
assemble  and  interact  with  support  organizations  across  NASA/Contractor  lines  and  in 
various  locations. 

Organization 

R7.5-1  Establish  an  independent  Technical  Engineering  Authority  that  is 
responsible  for  technical  requirements  and  all  waivers  to  them,  and  will  build  a 
disciplined,  systematic  approach  to  identifying,  analyzing,  and  controlling  hazards 
throughout  the  life  cycle  of  the  Shuttle  System.  The  independent  technical  authority  does 
the  following  as  a  minimum: 

•  Develop  and  maintain  technical  standards  for  all  Space  Shuttle  Program 
projects  and  elements 

•  Be  the  sole  waiver-granting  authority  for  all  technical  standards 
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•  Conduct  trend  and  risk  analysis  at  the  sub-system,  system,  and  enterprise 
levels 

•  Own  the  failure  mode,  effects  analysis  and  hazard  reporting  systems 

•  Conduct  integrated  hazard  analysis 

•  Decide  what  is  and  is  not  an  anomalous  event 

•  Independently  verify  launch  readiness 

•  Approve  the  provisions  of  the  re-certification  program  called  for  in 
Recommendation  R9. 1  - 1 . 

The  Technical  Engineering  Authority  should  be  funded  directly  from  NASA 
Headquarters,  and  should  have  no  connection  to  or  responsibility  for  schedule  or  program 
cost. 

R7.5-2  NASA  Headquarters  Office  of  Safety  and  Mission  Assurance  should  have 
direct  line  authority  over  the  entire  Space  Shuttle  Program  safety  organization  and  should 
be  independently  resourced. 

R7.5-3  Reorganize  the  Space  Shuttle  Integration  Office  to  make  it  capable  of 
integrating  all  elements  of  the  Space  Shuttle  Program,  including  the  Orbiter. 


PART  THREE  -  A  LOOK  AHEAD 
Organization 

R9.1-1  Prepare  a  detailed  plan  for  defining,  establishing,  transitioning,  and 
implementing  an  independent  Technical  Engineering  Authority,  independent  safety 
program,  and  a  reorganized  Space  Shuttle  Integration  Office  as  described  in  R7.5-1, 
R7.5-2,  and  R7.5-3.  In  addition,  NASA  should  submit  annual  reports  to  Congress,  as  part 
of  the  budget  review  process,  on  its  implementation  activities. 
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Re-certification 


R9.2-1  Prior  to  operating  the  Shuttle  beyond  2010,  develop  and  conduct  a  vehicle 
re-certification  at  the  material,  component,  subsystem,  and  system  levels.  Re¬ 
certification  requirements  should  be  included  in  the  Service  Life  Extension  Program. 

Closeout  Photos/Drawing  System 

R1 0.3-1  Develop  an  interim  program  of  closeout  photographs  for  all  critical  sub¬ 
systems  that  differ  from  engineering  drawings.  Digitize  the  close-out  photograph  system 
so  that  images  are  immediately  available  for  in-orbit  troubleshooting. 

R1 0.3-2  Provide  adequate  resources  for  a  long-term  program  to  upgrade  the 
Shuttle  engineering  drawing  system  including: 

•  Reviewing  drawings  for  accuracy 

•  Converting  all  drawings  to  a  computer-aided  drafting  system 

•  Incorporating  engineering  changes 
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APPENDIX  C.  GROUPTHINK  DEFINED 


Group  think  is  the  term  coined  by  the  noted  Yale  research  psychologist,  Irving  L. 
Janis,  to  describe  the  phenomenon  by  which  a  talented,  intelligent,  high-performing,  and 
usually  high-powered  group  makes  horrible  decisions.  Janis  defined  groupthink  as  “a 
quick  and  easy  way  to  refer  to  a  mode  of  thinking  that  persons  engage  in  when  they  are 
deeply  involved  in  a  cohesive  in-group,  when  concurrence-seeking  becomes  so  dominant 
that  it  tends  to  override  critical  thinking  or  realistic  appraisal  of  alternative  courses  of 
action.”188  Janis  developed  the  theory  of  groupthink  in  an  attempt  to  explain  how 
seemingly  rational,  exceptionally  intellectually-talented  people  can  collectively  make 
very  poor  decisions.  Janis  looked  at  the  case  of  the  United  State’s  action,  or  lack  thereof, 
prior  to  the  Japanese  attack  on  Pearl  Harbor,  the  Kennedy  administration’s  decisions 
regarding  the  Bay  of  Pigs,  and  the  Johnson  administration’s  escalation  of  the  Vietnam 
War,  among  others.  In  the  case  of  the  Bay  of  Pigs  fiasco,  Janis  was  seeking  rationale  as 
to  why,  as  Janis  put  it,  “one  of  the  greatest  arrays  of  intellectual  talent  in  the  history  of 
American  government  -  Dean  Rusk,  Robert  McNamara,  Douglas  Dillon,  Robert 
Kennedy,  McGeorge  Bundy,  Arthur  Schlesinger,  Allen  Dulles...”189  collectively 
blundered  to  the  point  that  President  Kennedy  stated,  “How  could  we  have  been  so 
stupid?”190  Janis  felt  certain  that  simple  stupidity  was  not  the  answer,  nor  was  a  study  of 
the  behavior  of  individuals  in  the  in-group  likely  to  provide  true  insight.  So,  after 
rigorously  exploring  group  dynamics  through  review  of  the  aforementioned  pivotal 
episodes  in  history  and  other  case  studies,  the  conduct  of  experimental  situations,  and  the 
review  of  vast  amounts  of  documentation,  Janis  derived  groupthink  as  a  theory  that  fit 
consistently  with  the  facts  and  records  of  the  decision-making  processes  and  personalities 
he  studied.  Over  the  course  of  the  1970’s  and  early  1980’s  Janis  further  developed  and 
structured  his  groupthink  construct. 

Janis  instructs  us  that  there  are  three  antecedent  conditions  for  the  development  of 
groupthink  to  occur.  These  precursors  are:  a  highly  cohesive  group,  leader  preference 

188  Janis,  I.L.,  Groupthink,  2nd  edition,  p.8,  Houghton  Mifflin,  Boston,  1982. 

189  Janis,  I.L.,  Victims  of  Groupthink:  A  Psychology  Study  of  Foreign  Policy,  p.  173. 

190  Janis,  Victims  of  Groupthink:  A  Psychology’  Study  of  Foreign  Policy,  p.  173. 
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for  a  certain  decision,  and  the  insulation  of  the  group  from  qualified,  outside  opinions.191 
Janis  described  eight  symptoms  of  groupthink  and  placed  them  in  three  category  types. 
Type  I  symptoms  are  those  that  reveal  an  overestimation  of  the  group  with  respect  to  its 
power  and  morality,  Type  II  symptoms  are  those  that  show  closed-mindedness,  and  Type 
III  symptoms  are  those  that  expose  pressures  towards  uniformity  within  the  group.192 
There  are  two  Type  I  symptoms,  two  Type  II,  and  four  Type  III. 

The  Type  I  groupthink  symptoms  are  (1)  an  illusion  of  invulnerability  and  (2)  an 
unquestioned  belief  in  the  group’s  inherent  morality.  With  a  shared  illusion  of 
invulnerability,  the  group,  or  a  majority  of  its  members  display  a  remarkable  degree  of 
over-optimism  and  risk  assumption.  In  the  words  of  Janis,  this  collective  sense  of 
invincibility  “causes  them  [the  in-group]  to  fail  to  respond  to  clear  warnings  of 
danger.”193  When  the  group  believes  it  has  an  inherent  morality,  the  members  are 
disposed  to  overlook  the  moral  or  ethical  consequences  of  their  decisions.194 

Type  II  symptoms  of  groupthink  are  (3)  stereotyped  negative  views  of  rivals  or 
anyone  with  a  competing  or  contrary  opinion,  and  (4)  the  collective  fonnation  of 
rationalizations  that  write  off  warnings  and  similar  negative  feedback.  With  the 
occurrence  of  stereotyped  views  of  any  “opponents”,  the  group  deems  the  opposition  too 
weak  or  stupid  to  understand  the  problem  or  deal  with  it  successfully.195  Rationalizations 
that  dismiss  warnings  serve  to  block  members  of  the  group  from  reviewing  data  or  other 
signs  that  would  lead  them  to  reconsider  their  assumptions  before  recommitting 
themselves  to  those  suppositions. 

The  Type  III  indicators  of  groupthink  having  taken  hold  within  a  group  are  (5) 
self-censorship  of  deviations,  (6)  direct  pressure  on  the  membership  to  maintain 
conformity,  (7)  a  shared  illusion  of  unanimity,  and  (8)  the  emergence  of  self-appointed 

191  G.  Moorhead,  R.  Ference,  and  C.  Neck,  Group  Decision  Fiascoes  Continue:  Space  Shuttle 
Challenger  and  a  Revised  Groupthink  Framework,  p.  541,  Human  Relations,  Vol.  44,  No.  6,  1991. 

192  C.  Ferraris,  and  R.  Carveth,  NASA  and  the  Columbia  Disaster:  Decision-making  by  Groupthink?, 
p.  2,  Proceedings  of  the  2003  Association  for  Business  Communications  Annual  Convention,  2003. 

193  Janis,  Victims  of  Groupthink:  A  Psychology’  Study  of  Foreign  Policy,  p.  175. 

194  1.  L.  Janis,  “Groupthink  Among  Policy  Makers,”  Sanctions  for  Evil,  ed.  N.  Sanford  and  C. 
Comstock,  p.  77,  Jossey-Bass,  San  Francisco,  1971. 

195  Moorhead,  et  al.  Group  Decision  Fiascoes  Continue:  Space  Shuttle  Challenger  and  a  Revised 
Groupthink  Framework,  p.  543. 
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“mindguards.”196  When  self-censorship  exists,  group  members  withhold  dissenting 
views,  counter-arguments,  and  misgivings  over  the  chosen  path.  Groups  that  are  infected 
with  group  think  will,  as  Janis  put  it,  “exert  direct  pressure  on  any  member  who  expresses 
strong  arguments  against  any  of  the  group’s  stereotypes,  illusions,  or  commitments, 
making  clear  that  this  type  of  dissent  is  contrary  to  what  is  expected  of  all  loyal 
members.”197  With  a  shared  illusion  of  unanimity  manifested,  a  cohort’s  membership 
falsely  perceives  that  everyone  agrees  with  the  group’s  decisions;  silence  is  taken  as 
consent.  Finally,  any  self-appointed  mindguards  that  arise  from  within  the  group  will  act 
to  protect  the  collective  from  negative  information  that  might  threaten  the  group’s 
cohesion  or  complacency.  A  classic  example  of  a  mindguard  is  Robert  F.  Kennedy 
behavior  during  the  run-up  to  the  Bay  of  Pigs  invasion.  During  a  party  for  his  wife, 
Kennedy  confronted  Arthur  Schlesinger,  who  was  opposed  to  the  invasion  plan.  After 
Schlesinger  had  explained  his  position,  Kennedy  responded  with: 

You  may  be  right  or  you  may  be  wrong,  but  the  President  has  made  his  mind  up. 
Don’t  push  it  any  further.  Now  is  the  time  for  everyone  to  help  him  all  they  can.198 

Table  1,  below,  provides  a  succinct  listing  of  the  symptoms  of  groupthink. 


196  Janis,  Victims  of  Groupthink:  A  Psychology’  Study  of  Foreign  Policy,  p.  176. 

197  Janis,  Groupthink,  p.  174. 

198  Janis,  Groupthink,  p.  41. 
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Type 

Symptom 

Manifestation 

I 

Illusion  of  Invulnerability 

Members  ignore  obvious  danger,  take  extreme 
risk,  and  are  overly  optimistic 

Unquestioned  Belief  in  the 
Groups  Inherent  Morality 

Members  believe  their  decisions  are  morally 
correct,  ignoring  the  ethical  consequences  of 
their  decisions 

II 

Excessive  Stereotyping 

The  group  constructs  negative  stereotypes  of 
rivals  outside  the  group 

Rationalization  or  Discount 
Warnings 

Members  discredit  and  explain  away  warning 
contrary  to  group  thinking 

III 

Self-Censorship  of 
Deviations 

Members  withhold  their  dissenting  views  and 
counter-arguments 

Direct  Pressure  on  a  Member 
for  Conformity 

Members  pressure  any  in  the  group  who  express 
arguments  against  the  group's  stereotypes, 
illusions,  or  commitments,  viewing  such 
opposition  as  disloyalty 

A  Shared  Illusion  of 
Unanimity 

Members  perceive  falsely  that  everyone  agrees 
with  the  group's  decision;  silence  is  seen  as 
consent 

The  emergence  of  a  self- 
appointed  “Mindguard” 

Some  members  appoint  themselves  to  the  role  of 
protecting  the  group  from  adverse  information 
that  might  threaten  group  complacency 

Table  1-  Groupthink  Symptoms 


Defective  decision-making  as  the  outcome  of  groupthink  can  take  several  forms. 
They  include  failure  to  completely  consider  alternatives,  no  re-examination  of 
alternatives,  rejection  of  expert  opinion,  the  dismissal  of  negative  information,  and  the 
lack  of  contingency  plans.199  Figure  3,  below  provides  a  depiction  of  Jams’  groupthink 
model.  This  fully  developed  framework  will  now  be  applied  to  the  Challenger  and 
Columbia  incidents  to  determine  whether  the  evidence  exits  to  reasonably  conclude  that 
groupthink  was  at  work  at  NASA. 


199  Janis,  Groupthink,  p.  145. 
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APPENDIX  D.  GROUPTHINK  REMEDIES 


Janis’s  nine  remedies  for  groupthink  are  revealed  in  greater  detail  below  and  are 
suggested  for  use  as  tools  to  preclude  groupthink  from  taking  hold  in  an  organization. 

1.  Encourage  critical  thinking 

The  organization  must  maintain  an  atmosphere  where  all  members  are  allowed  to 
express  their  opinions  and  concerns  without  fear  of  pressure  or  resentment.  Leadership 
should  accept  minority  opinions  and  dissent  without  any  disapproving  feedback,  even  in 
the  form  of  gestures  or  body  language. 

2.  Leadership  should  attempt  to  remain  impartial  to  ideas  or  proposals 

It  is  often  observed  and  experienced  by  the  authors  of  this  paper  that  when  a 
leader  expresses  a  preference  before  the  group,  the  group  members  often  act  to  concur 
with  the  leadership  preference,  whether  they  consciously  do  so  or  not.  This  phenomenon 
short-circuits  the  critical  thinking  process.  Leaders  need  to  ensure  they  don’t  show  bias 
for  or  against  any  solutions  early  in  the  process.  This  encourages  the  group  to  conduct  an 
open  inquiry  of  wide-ranging  action  alternatives. 

3.  Use  multiple  subgroups  in  parallel  with  different  leaders  to  work  the 
same  problem 

Different  subgroups  with  diverse  leadership  tend  to  explore  differing  alternatives 
under  varied  leadership  styles.  This  will  likely  result  in  a  broader  spectrum  of  solutions 
and  criticisms  being  obtained. 

4.  Reconvene  the  smaller  subgroups  to  reach  a  combined  decision 

As  with  the  use  of  smaller  subsets  of  the  larger  group  to  work  the  problem,  these 
smaller  groups  should  reassembled  to  collaboratively  assemble  the  range  of  proposals, 
risk,  and  criticisms  generated  in  the  subgroups.  This  is  likely  to  yield  a  wide-ranging 
spectrum  of  possible  alternatives  for  action. 
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5.  Each  member  of  the  group(s)  should  be  empowered  and  authorized  to 
discuss  the  group’s  progress  with  trusted  associates  outside  the  “in-group”,  but 
within  the  larger  organization 

While  ensuring  that  the  “outsider”  is  trustworthy,  the  discussion  of  the  group’s 
efforts  with  someone  outside  of  the  collective,  yet  understanding  of  the  larger 
organization’s  mission  and  needs,  will  likely  bring  some  fresh  idea  and  views  to  the 
problem.  This  will  help  counteract  any  tendency  towards  narrow-mindedness,  even 
within  the  subgroups. 

6.  Outside  expert  opinion  should  be  allowed 

The  group  needs  to  embrace  the  idea  that  outside  experts  should  be  allowed  to 
provide  periodic  assessments  and  “sanity  checks”  of  the  groups  ideas  and  actions.  These 
external  specialists  will  hopefully  challenge  the  group’s  ideas,  assumptions,  and 
undertakings  so  that  the  risk  of  overlooking  something  crucial  is  minimized. 

7.  A  devil’s  advocate  should  be  assigned  within  the  group 

A  member  of  the  group,  usually  in  a  rotational  role,  should  act  as  a  devil’s 
advocate  to  critically  appraise  proposals,  ideas,  and  to  basically  question  everything, 
especially  majority  opinions.  The  devil’s  advocate  must  take  the  role  seriously  and  not 
pull  any  punches,  lest  this  result  in  the  group  coming  to  believe  a  bad  decision  has  been 
properly  scrutinized  and  then  blessed  by  the  advocate. 

8.  Take  time  to  discuss  potential  opposing  views  and  responses 

At  times  when  the  efforts  of  the  group  may  bring  them  into  conflict  with  outside 
organizations  and  perceptions  (e.g.,  senior  management,  Congress,  etc.),  they  should 
take  the  time  to  put  themselves  in  the  place  of  their  “opposition”  and  attempt  to 
characterize  the  possible  concerns  and  responses  those  organizations  may  have  regarding 
the  group’s  activities.  This  could  be  thought  of  as  a  “stakeholder”  analysis  and  will  serve 
to  improve  the  quality  of  the  decisions  made  and  the  group’s  execution  plans  for  them. 


120 


9.  Have  a  “second  chance”  meeting  prior  to  a  final  decision 

Prior  to  making  a  final  decision  and  taking  action,  the  group  should  convene  to 
hold  a  meeting  where  every  member  of  the  group  is  encouraged  and  allowed,  without 
bias  or  pressure,  to  express  any  lingering  doubts  or  concerns  with  the  consensus  reached 
previously. 


ANTECEDENTS 


OBSERVABLE  CONSEQUENCES 


Decision  Makers  A 
Cohesive  Group 


B-1 

Structural  Faults 


1.  Insulation  of  Group 

2.  Lack  of  Tradition  of 
Impartial  Leadership 

3.  Lack  of  Norms  for 
Methodical  Procedures 

4.Homogeneity  of  Group 


B-2 

Provocative  Context 


1.  High  stress  from 
external  threats 

2.  Lorn  self-esteem: 
Recent  Failures 

Excessive  Complexity 
Moral  Dilemmas 
etc 
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Seeking 
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T 


Low  Probability  of 
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Figure  3  -  Groupthink  Model200 


200  Janis,  I.  L.,  and  L.  Mann,  Decision  Making,  p.  87,  Free  Press,  New  York,  1977. 
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